How can I tell if my website is vulnerable to CVE-2014-3566 (POODLE)?
Google announced a vulnerability in the SSLv3 protocol that
... allows the plaintext of secure connections to be calculated by a network attacker.
This vulnerability has been given the designation CVE-2014-3566 and the marketing name POODLE.
If I have a website at `https://www.example.com/, how can I tell if this vulnerability affects me?
SSLv3 is Broken
With the advent of POODLE, all the cipher suites used by SSLv3 have been compromised, and the protocol should be considered irreparably broken.
Websites
You can check if your website is available over SSLv3 with curl(1)
:
curl -v -3 -X HEAD https://www.example.com
The -v
argument turns on verbose output, -3
forces curl to use SSLv3, and the -X HEAD
limits the output on a successful connection.
If you are not vulnerable, you should not be able to connect, and your output should look something like this:
* SSL peer handshake failed, the server most likely requires a client certificate to connect
If you are vulnerable, you should see normal connection output, including the line:
* SSL 3.0 connection using SSL_NULL_WITH_NULL_NULL
Other Services
It's not just websites that are available over SSL. Mail, irc, and LDAP are three examples of services available via secured connections, and are similarly vulnerable to POODLE when they accept SSLv3 connections.
To connect to a service using SSLv3, you can use the openssl(1)
s_client(1)
command:
openssl s_client -connect imap.example.com:993 -ssl3 < /dev/null
The -connect
argument takes a hostname:port
parameter, the -ssl3
argument limits the protocol versions negotiated to SSLv3, and piping in /dev/null
to STDIN
immediately terminates the connection after opening it.
If you connect successfully, SSLv3 is enabled; if you get a ssl handshake failure
then it is not.
See Also
There is an excellent question and answer on the Security SE: https://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
If you want to do a quick check, head on to the URL below. It does a pretty good job keeping up with all things SSL, including checking for POODLE.
https://www.ssllabs.com/ssltest/