New SSL Vulnerability Call POODLE (CVE-2014-3566)

Discussion in 'Masalah Teknik dan Keamanan' started by junior riau, 16 Oct 2014.

Thread Status:
Not open for further replies.
  1. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,237
    Likes Received:
    515
    Trophy Points:
    113
    Nina Prasetyo, PusatHosting and farid like this.
  2. farid

    farid Beginner 2.0

    Messages:
    23
    Likes Received:
    2
    Trophy Points:
    3
    tengkyu Tuan
     
  3. mnordins

    mnordins Apprentice 1.0

    Messages:
    527
    Likes Received:
    66
    Trophy Points:
    28
    Hm... iya... kalo dari beberapa referensi luar... bisa diamankan kok... matikan cpiher SSL v2 dan v3, pake TLS aja... https://www.openssl.org/docs/apps/ciphers.html
    Dan jangan pasang cipher yang enkripsi nya rendah... (tempatku min enkripsi ciphernya adalah 128, dibawah itu... gak aku pake)

    Pake https://www.ssllabs.com/ssltest/ bisa buat test SSL, hasilnya mayan komplit... ada keterangan cipher yang dipake serta kompatibilitas cipher SSL dengan browser.
     
  4. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
    Kloxo-MR 7 update terakhir sudah disable SSLv2 dan SSLv3 untuk semua web services. Akibatnya, 'selamat tinggal' buat IE 6.
     
  5. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,237
    Likes Received:
    515
    Trophy Points:
    113
    saya patch 2 cpanel server
    pakai ini


    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
    SSLHonorCipherOrder on

    1 sukses 1 lagi masih ada vuln di versi 3
    itu kenapa ya
     
  6. galuh82

    galuh82 Hosting Guru Web Hosting (Company)

    Messages:
    2,514
    Likes Received:
    186
    Trophy Points:
    63
  7. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,237
    Likes Received:
    515
    Trophy Points:
    113
    ini outputnya


    [~]# openssl s_client -connect zeus.xxx-xxxxx.net:443 -ssl3
    CONNECTED(00000003)
    140026379335496:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
    140026379335496:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
    Protocol : SSLv3
    Cipher : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413550255
    Timeout : 7200 (sec)
    Verify return code: 0 (ok)
    ---

    dari poodlescan masih vuln
     
  8. galuh82

    galuh82 Hosting Guru Web Hosting (Company)

    Messages:
    2,514
    Likes Received:
    186
    Trophy Points:
    63
    poodlescan dia pakai cache .. saya sempat dikerjain juga sama dia padahal dah ok harusnya hahahah ..
     
  9. junior riau

    junior riau Hosting Guru Web Hosting

    Messages:
    3,237
    Likes Received:
    515
    Trophy Points:
    113
    hoo pakai cache, dari hasil terminal udah OK ya?
    soalnya yang itu pakai proxy nginx
     
  10. mnordins

    mnordins Apprentice 1.0

    Messages:
    527
    Likes Received:
    66
    Trophy Points:
    28
    @junior riau yang discan lewat poodle pake webserver apa om? nginx ato apache?

    Ini cipher yang aku pake... webserver nginx... :
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • DHE-RSA-AES128-GCM-SHA256
    • DHE-DSS-AES128-GCM-SHA256
    • kEDH+AESGCM:ECDHE-RSA-AES128-SHA256
    • ECDHE-ECDSA-AES128-SHA256
    • ECDHE-RSA-AES128-SHA
    • ECDHE-ECDSA-AES128-SHA
    • ECDHE-RSA-AES256-SHA384
    • ECDHE-ECDSA-AES256-SHA384
    • ECDHE-RSA-AES256-SHA
    • ECDHE-ECDSA-AES256-SHA
    • DHE-RSA-AES128-SHA256
    • DHE-RSA-AES128-SHA
    • DHE-DSS-AES128-SHA256
    • DHE-RSA-AES256-SHA256
    • DHE-DSS-AES256-SHA
    • DHE-RSA-AES256-SHA
    • AES128-GCM-SHA256
    • AES256-GCM-SHA384
    • AES128-SHA
    • AES256-SHA
    • AES
    • CAMELLIA
    • DES-CBC3-SHA
    • !aNULL
    • !eNULL
    • !EXPORT
    • !DES
    • !RC4
    • !MD5
    • !PSK
    • !aECDH
    • !EDH-DSS-DES-CBC3-SHA
    • !EDH-RSA-DES-CBC3-SHA
    • !KRB5-DES-CBC3-SHA
    • !CAMELLIA
    Udah di test di poodlescan... alhamdulillah lolos... test ssllabs grade A

    Seharusnya proxy nginx cuma ambil yang non ssl om... kalo pake nginxcp lho... kalo tak lihat dari output nya top c ketika dipanggil https... yang aktif apachenya
     
    Last edited: 17 Oct 2014
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...