I have given my website for testing ,after testing the have sent me test report with details that site has some security issue sslv3 poodle information disclosed and sslv3 should be disabled to avoid vulnerability.. this is issue they have reported :-
" It determined that the remote server supports SSLv3 with at least one CBC cipher suite, indicating that this server is vulnerable. It appears that TLSv1 or newer is supported on the server. However, the Fallback SCSV mechanism is not supported, allowing connections to be "rolled back" to SSLv3 "
SSL Version : SSLv3 High Strength Ciphers (>= 112-bit key) EDH-RSA-DES-CBC3-SHA Kx=DH Au=RSA Enc=3DES-CBC(168) Mac=SHA1 DHE-RSA-AES128-SHA Kx=DH Au=RSA Enc=AES-CBC(128) Mac=SHA1
I read somewhere in site check whether sslv3 disabled for site using
openssl s_client -connect example.com:443 -ssl3
I tried with the same command but i got always " routines:SSL3_READ_BYTES:sslv3 alert handshake failure"
this means sslv3 is disabled right?if this disabled then they would not have reported this issue..
How can replicate this issue..how can i disable sslv3 like they said.
Any help,guidance would be appreciated
Aucun commentaire:
Enregistrer un commentaire