Questions tagged [poodle-attack]
The POODLE (short for "Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of web browsers' fallback to SSL 3.0.
poodle-attack
74
questions
99
votes
16
answers
357k
views
The client and server cannot communicate, because they do not possess a common algorithm - ASP.NET C# VB Visual Basic IIS TLS 1.0 / 1.1 / 1.2
I have an issue with a C# PayTrace Gateway. The below code was working fine until yesterday when I believe they turned off SSL3 due to the Poodle Exploit. When running the code below we got the ...
- 5,025
82
votes
3
answers
142k
views
Which versions of SSL/TLS does System.Net.WebRequest support?
Now that SSL 3 has been found to be vulnerable to the POODLE attack:
Which versions of SSL/TLS does System.Net.WebRequest use when connecting to any https Uri?
I use WebRequest to connect to ...
- 21.6k
21
votes
1
answer
76k
views
Will SSLContext.getInstance("TLS") supports TLS v1.1 and TLS v1.2 also?
In my java Code i am creating one instance of SSL Context using command
SSLContext ctx = SSLContext.getInstance("TLS");
But in my tomcat server i am setting TLSv1.2 and i am getting handshake error.
...
- 907
19
votes
8
answers
44k
views
How to disable SSLv3 in android for HttpsUrlConnection?
We wrote client application in android which connects with https servers using HttpsUrlConnection apis. Due to Poodle vulnerability, we need to disable SSLv3 from the list of enabled protocols while ...
- 223
16
votes
4
answers
39k
views
Java http clients and POODLE
Regarding the POODLE vulnerability, if I understand it correctly, it requires a client that automatically downgrades TLS protocol to SSLv3 when failing to establish a secure channel with a server ...
- 14.8k
16
votes
6
answers
29k
views
Disable SSL as a protocol in HttpsURLConnection
Due to the POODLE vulnerability, my server, hosted in Amazon AWS does no longer support SSLv3.
As a result, the first HTTPS connection my Android app does against the server results in an error when ...
- 5,559
14
votes
4
answers
52k
views
How to enable SSL 3 in Java
Since Java 8 Update 31 the SSL 3 protocol is disabled by default due to security flaws in the SSL Protocol (see POODLE attack).
Even if not recommended, how can it be enabled?
- 14.3k
9
votes
1
answer
26k
views
C# Enforcing HttpWebRequest to use Tls12 instead of SSLv3
I have App that makes use of some web service and acquire data via JSON, all was working fine for quite long time, up until latest discoveries about SSLv3 being vulnerable to man-in-the-middle attacks ...
- 2,062
7
votes
4
answers
18k
views
Is it possible to disable SSLv3 for all Java applications?
Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.
Is there a way to disable SSLv3 for all Java based ...
- 40.9k
6
votes
1
answer
7k
views
How would i support multiple version of TLS on client side?
Hi I want to support multiple version's of TLS using SSLV23 method on client side.But I am not able to connect getting error :
SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Can anyone ...
- 907
5
votes
2
answers
7k
views
What version of SSL/TLS does System.Web.Services.Protocols.SoapHttpClientProtocol use?
Now that SSL 3 has been found to be vulnerable to the POODLE attack:
What version of SSL/TLS does System.Web.Services.Protocols.SoapHttpClientProtocol use when connecting to any https Uri?
I use ...
- 21.6k
4
votes
1
answer
2k
views
Dropwizard TLS and SSL: deactivate SSLv3
Does someone know how to deactivate SSLv3? Does someone know if DW supports SSLv3 or how I can check what is supported by DW 0.7.1?
- 1,393
4
votes
1
answer
6k
views
Change ssl version with Net::HTTP and Ruby 1.8.7
One of my legacy Ruby application still uses Ruby 1.8.7. It makes a lot of HTTP requests on third-party web services and some of them are over SSL.
Those third-party services are dropping their ...
- 2,975
4
votes
2
answers
2k
views
Intermittent SSL/TLS error using Azure SDK in Azure Website
I have an ASP.NET MVC website running .NET 4.5 in an Azure Website and I keep getting this error trying to retrieve or upload assets into Azure Blob Storage using the Azure SDK (version 4.3.0).
The ...
- 4,718
4
votes
1
answer
438
views
POODLE and efficiency of proposed TLS_FALLBACK_SCSV flag
Based on Recommendations in the original research:
https://www.openssl.org/~bodo/ssl-poodle.pdf
If man-in-the-middle (MITM) intercepts communication, assuming client's "Hello" with ciphers ...
- 2,103
3
votes
1
answer
9k
views
How to overcome the git error `Unknown SSL protocol error in connection`
I'm trying to git clone some repository, but then I get the error:
$ git clone --recursive https://some-url.git
Cloning into 'project'...
fatal: unable to access 'https://https://some-url.git/': ...
- 2,473
3
votes
0
answers
255
views
Facebook login not working - Graph User is always null and Failure in SSL Library
I have an application that has already been launched to the play store, Facebook login works fine, but the client has requested for changes. Changes have been made, now we are testing the application ...
- 197
2
votes
1
answer
23k
views
How to disable SSLv3 in Apache on Windows installed by Xampp
I'm attempting to disable SSLv3 in Apache which I've installed on Windows via xampp. But I'm having trouble figuring out how. I was told that I needed to add
SSLProtocol All -SSLv2 -SSLv3
To my ssl ...
- 926
2
votes
1
answer
572
views
WCF service and POODLE attacks
In my application I am using WCF services that use NetTcpBindings and are configured for both message and transport security (protection level set to EncryptAndSign). The services are hosted as ...
- 81
2
votes
1
answer
1k
views
Tomcat APR connector and POODLE
I have a couple of production servers running Tomcat 7.0 with an APR+SSL connector and because of the recent POODLE attack I was asked to disable SSLv3 completely in some of these servers. I dig ...
- 8,148
2
votes
1
answer
547
views
An API service I use is disabling SSL 3.0 because of the POODLE exploit. If I use HttpClient and HttpRequestMessage do I need to change my code?
Say I do typical stuff like this:
HttpRequestMessage requestMessage = new HttpRequestMessage();
requestMessage.RequestUri = new Uri("https://api.site.com/");
HttpClient httpClient = new HttpClient();
...
- 3,208
2
votes
1
answer
379
views
WinRT (Windows Store Apps) enforcing to use Tls12 instead of SSLv3
As SSLv3 has been found to be vulnerable to the POODLE attack.
I am using Windows.Web.Http.HttpClient class to communicate with server
and wanted to disable security protocol SSLv3 from client ...
- 55
2
votes
0
answers
2k
views
Forcing a .NET 4.0 website to use TLS 1.1 or 1.2 from C#
I have a website which communicates with an API which shuts down connections that use anything below TLS 1.1 due to various security vulnerabilities such as POODLE.
The website is compiled using .NET ...
- 139
2
votes
0
answers
90
views
iOS RestKit disable sslv3 client-side
I have disabled the sslv3 on the server side but I want to make sure if I can do something from the client side (iOS app).
I'm using this library in my project: https://github.com/RestKit/RestKit
I ...
- 1,491
2
votes
0
answers
85
views
How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?
My Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but ...
- 21
2
votes
0
answers
5k
views
SSL_HANDSHAKE Error Domino TLS Outgoing
We have 5 customers running the same WebService from Domino
This weekend we updated the customers servers with Domino 9.01. FP2 and the Poodle fixpack to be able to run TLS 1.0 incomming and outgoing.
...
- 57
2
votes
2
answers
568
views
Detecting SSL3 in Browser using Javascript
Working on the latest SSL3 vulnerability (POODLE) and wondering if you can detect if the browser viewing the website has SSL3 enabled in their settings and if so prompt them with a message.
1
vote
2
answers
1k
views
ActiveMerchant Poodle patch for PayPal
I'm using Rails 3, ActiveMerchant 1.5.1 gem, and PayPal express. Since recently I can't get my payments work through PayPal, continue to receive this error
OpenSSL::SSL::SSLError: SSL_connect ...
- 1,373
1
vote
1
answer
2k
views
Yet another Paypal Curl / SSL v3 Handshake Error - SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I know there are a number of people asking this question, but none of the solutions I've read to date have worked for me.
A site with a Paypal IPN listener fails in the curl postback. Curl Error: ...
- 95
1
vote
1
answer
36k
views
SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number error when disabling ssl and enabling TLS
I am trying to disable SSL on my tomcat and trying to send request for my app on TLS Port but I am getting the following Error:
Failure in POSTing request to Manager: [SSL Error: error:1408F10B:SSL ...
- 907
1
vote
1
answer
215
views
Can I turn off SSLv3.0 in NancyFX? (POODLE)
I'm running a web app with a C# backend on self-hosting NancyFX. I have tried googling, but I really can not find any information on whether it is possible to turn of SSL 3 in Nancy.
Is it possible, ...
- 1,895
1
vote
1
answer
864
views
How can I disable SSL3 on DB2?
Is there away to make DB2 not accept SSL3?
I'm trying to secure couple of DB2 databases I have on couple of servers against the POODLE attack. I know you can do this through the Operating System ...
- 5,031
1
vote
1
answer
177
views
Apache Mina x Poodle bug
How do I disable ssl v3 support in apache mina SslFilter?
https://mina.apache.org/
- 1,917
1
vote
1
answer
404
views
How do I disable SSLv3 in Thin?
Is there a way to prevent Thin from accepting requests using SSLv3?
I cannot find any resources on how to deal with Poodle for a Thin server running with SSL. I don't want to move thin behind nginx ...
- 145
1
vote
1
answer
536
views
Chrome (44 version) not working with self signed certificate
I am using self signed certificate for localhost in my web application. Recently i updated apache to 2.2.29 and openssl to 1.0.1m as recommended and disabled sslv3 and v2 for security.
After this ...
- 339
1
vote
1
answer
1k
views
How to Check if a WPF based Thick Client application uses Transport Layer Security(TLS) or not
We have a Windows based Desktop Thick Client App with front end built over WPF+Telerik and backend communication using WCF Web Services.
Right now the communication is happening over SSL3.0
Due to ...
1
vote
1
answer
749
views
Is JBoss 7.1 is vulnerable to POODLE: SSLv3 vulnerability (CVE-2014-3566) in Windows
We are using JBoss 7.1 in our application on Windows platform.
Is this particular version of JBoss vulnerable to POODLE??
- 51
1
vote
1
answer
813
views
IIS Disable SSLv3 - Does it impact outgoing requests?
I've seen descriptions elsewhere about modifying the registry to have IIS disable SSLv3. But, it isn't clear to me if this will impact both incoming requests to the server as well as outgoing requests....
- 87
1
vote
1
answer
4k
views
Oracle HTTP Server (OHS) Apache 2.2.13 Poodle SSLv3 Fix?
I applied the POODLE fix for apache via "SSLProtocol All -SSLv2 -SSLv3" in the ssl.conf file for our apache server but am having issues with the CAC Client authentication via "SSLVerifyClient require"....
- 304
1
vote
2
answers
778
views
Poodle config for Tomcat 7 blocks IE8 on XP
I have configured our Tomcat 7 (jdk 7) server to only accept TLS (1, 1.1 & 1.2) protocols, to address POODLE. I have also disabled all DH cipher suites to achieve PCI DSS compliance.
...
- 21
1
vote
2
answers
373
views
Rails omniauth facebook SSL handshake failure
My app has been running fine for months, and all of a sudden logging in just doesn't work, i get this:
2014-10-18T18:09:33.971670+00:00 app[web.1]: Faraday::SSLError (SSL_connect returned=1 errno=0 ...
- 1,196
1
vote
0
answers
82
views
POODLE kills tomcat
We have a web app running on Apache tomcat 7.0.56 on windows, and we are using IE to access it. Tomcat is running secured over HTTPS
On one system, after running our app and closing IE, when we ...
- 3,080
1
vote
1
answer
4k
views
How to disable SSL in IBM Websphere 6 and its impact?
Considering the POODLE attack, I want to disable the SSLv3 in my web app deployed on IBM WebSphere 6. There are a few concerns I cant address:
1. How to disable SSL and enable TLS in WAS 6.0 and 6.1?
...
- 161
1
vote
0
answers
853
views
enable TLS 1.0 in windows server 2008
Our production server is running on Windows Server 2008 and currently has SSL 2.0 enabled. We are looking to migrate to TLS 1.0 protocol, we did find some help online as how to disable SSL and enable ...
- 301
1
vote
0
answers
350
views
Google Chrome 39 still refuses my SSL website despite I updated httpd-ssl.conf
Here is my environment : Server RHEL 6.3, Apache 2.2.15 ,Tomcat 6, OpenSSL 1.0.0-fips
In order to eliminate the Poodle vulnerability in Google Chrome 39, I’m trying since a couple of days to block ...
- 11
1
vote
0
answers
540
views
How to disable SSLv3 from openSSL 0.9.8zc
I've a server with openSSL 0.9.8zc, that browser can access to it.
I'm trying to protect the server from POODLE attack, by disable SSLv3 from openSSL
The server is build in MSDEV 2005
I've modified ...
- 11
1
vote
3
answers
199
views
Does Cast Iron legacy version 5 support TLS?
I inherited a Cast Iron appliance which reports that it is version 5.0.1.5 - several years old and off support.
This is mostly used to talk to Salesforce, who just sent us an email saying they are ...
- 11
1
vote
2
answers
273
views
Am I vulnerable to POODLE / SSLv3 enabled test
So this is a relatively new problem.
My website is running on a Apache2 server deployed on an OPENSuse 10 Enterprise. As far as I've read there is a simple command line test:
openssl s_client -...
- 91
1
vote
0
answers
157
views
PHP SoapClient and Poodle?
I see that there is a SOAP_SSL_METHOD parameters in the SoapClient, but the details on what it does and how it does it are not as specific. There is a comment on the PHP documentations that the ...
- 8,031
1
vote
0
answers
337
views
Disable SSLv3 in Openfire
How do you disable SSLv3 protocol in Openfire and make it use only TLS ?
I am using Openfire 3.8.2 version.Is it any changes related to Jetty ?
