How can I tell if my website is vulnerable to CVE-2014-3566 (POODLE)?

Google announced a vulnerability in the SSLv3 protocol that

... allows the plaintext of secure connections to be calculated by a network attacker.

This vulnerability has been given the designation CVE-2014-3566 and the marketing name POODLE.

If I have a website at `https://www.example.com/, how can I tell if this vulnerability affects me?


SSLv3 is Broken

With the advent of POODLE, all the cipher suites used by SSLv3 have been compromised, and the protocol should be considered irreparably broken.

Websites

You can check if your website is available over SSLv3 with curl(1):

curl -v -3 -X HEAD https://www.example.com

The -v argument turns on verbose output, -3 forces curl to use SSLv3, and the -X HEAD limits the output on a successful connection.

If you are not vulnerable, you should not be able to connect, and your output should look something like this:

* SSL peer handshake failed, the server most likely requires a client certificate to connect

If you are vulnerable, you should see normal connection output, including the line:

* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL

Other Services

It's not just websites that are available over SSL. Mail, irc, and LDAP are three examples of services available via secured connections, and are similarly vulnerable to POODLE when they accept SSLv3 connections.

To connect to a service using SSLv3, you can use the openssl(1) s_client(1) command:

openssl s_client -connect imap.example.com:993 -ssl3 < /dev/null

The -connect argument takes a hostname:port parameter, the -ssl3 argument limits the protocol versions negotiated to SSLv3, and piping in /dev/null to STDIN immediately terminates the connection after opening it.

If you connect successfully, SSLv3 is enabled; if you get a ssl handshake failure then it is not.

See Also

There is an excellent question and answer on the Security SE: https://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability


If you want to do a quick check, head on to the URL below. It does a pretty good job keeping up with all things SSL, including checking for POODLE.

https://www.ssllabs.com/ssltest/