In my server application using OpenSSL, to prevent the poodle attack, I added an option to fully allow/prevent SSL3 protocol.
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); //Prevent SSLv2
SSL_CTX_set_options(ctx,SSL_OP_NO_SSLv3); // Prevent SSL3
The allowing of SSL3 was done to inter-op with those clients which doesn't support TLS.
There is a way to be immune to POODLE attack with SSLv3. Disallow CBC-mode cipher suites in SSLv3.
Now,if I disable CBC-mode ciphers from my application, it affects TLS as well (Have one for one Server Interface). Is there a way I can disallow CBC-mode cipher only on SSL3 connections but use them for TLS connections?
Aucun commentaire:
Enregistrer un commentaire