Wimmer Christian
2014-10-15 12:26:02 UTC
Sadly, there is no "Option DisableSSLv3". So i guess we are stuck with this vulnerability until we get a new ezproxy version which, hopefully, contains an option to disable SSLv3 somehow.
--
Christian Wimmer
Ludwig-Maximilians-Universität München
University Library
IT-Department
Geschwister-Scholl-Platz 1, 80359 München, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de
-----Ursprüngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle
Worth mentioning that ezproxy by default has SSLv3 support and is impacted by http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL
$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA
So now would be a good time to turn off SSLv3 in ezproxy. Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the available ciphers.
---
You are currently subscribed to ezproxy as: ***@ub.uni-muenchen.de.
To unsubscribe, send request to ***@itec.suny.edu
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny
--
Christian Wimmer
Ludwig-Maximilians-Universität München
University Library
IT-Department
Geschwister-Scholl-Platz 1, 80359 München, Germany
Phone: +49 89 2180-6141
Email: ***@ub.uni-muenchen.de
-----Ursprüngliche Nachricht-----
Von: Julien Savoie [mailto:***@usainteanne.ca]
Gesendet: Mittwoch, 15. Oktober 2014 08:39
An: EZProxy discussion list
Betreff: [ezproxy] SSL v3 support / poodle
Worth mentioning that ezproxy by default has SSLv3 support and is impacted by http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/
We've been running ezproxy with:
SSLCipherSuite HIGH:RC4-SHA:!ADH:!aNULL
$ sslscan proxy:2443 | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA
So now would be a good time to turn off SSLv3 in ezproxy. Unfortunately adding !SSLv3 or -SSLv3 seems to disable ALL of the available ciphers.
---
You are currently subscribed to ezproxy as: ***@ub.uni-muenchen.de.
To unsubscribe, send request to ***@itec.suny.edu
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny