[yocto] Truly scary SSL 3.0 vuln to be revealed soon:

[Sona Sarmadi]

Hi guys,

Yesterday The Register published this:
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

and today following was published:
https://www.openssl.org/~bodo/ssl-poodle.pdf
http://googleonlinesecurity.blogspot.de/2014/10/this-poodle-bites-exploiting-ssl-30.html

The advice is: Disable SSLv3.

I created https://bugzilla.yoctoproject.org/show_bug.cgi?id=6843  so we can start to work with this immediately. 

It would be good to sync the work like we did with the "shellshock" at the end :) .

Cheers
Sona


Sona Sarmadi
Security Responsible for Enea Linux
Enea
Jan Stenbecks torg 17,
Box 1033, SE-164 21 Kista, Sweden
Direct: +46 8 5071  4475
Mobile: +46 70 971 4475
sona.sarmadi at enea.com
www.enea.com 

This message, including attachments, is CONFIDENTIAL. It may also be privileged or otherwise protected by law. If you received this email by mistake please let us know by reply and then delete it from your system; you should not copy it or disclose its contents to anyone.

> -----Original Message-----
> From: Sona Sarmadi
> Sent: den 14 oktober 2014 16:39
> To: openembedded-core at lists.openembedded.org
> Cc: yocto at yoctoproject.org
> Subject: FW: [oss-security] Truly scary SSL 3.0 vuln to be revealed soon:
> 
> Hi all,
> 
> It seems that another vulnerability is coming soon, the advice is disable
> SSLv3.:
> http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_dr
> op_tomorrow/
> 
> 
> From Hanno Böck [hanno at hboeck.de]:
> ============================================
> Whether it's scary or not I have an advice for you: Disable SSLv3.
> 
> It causes a lot of headache already. I once had to debug a rather subtle issue
> in combination with SNI.
> The problem: Browsers downgrade out of protocol to SSLv3 if they can't
> connect via TLS. They do this in order to support broken server
> implementations. However this downgrade can also be triggered by bad or
> slow internet connections - and then you'll loose SNI. So sometimes your
> visitors will get the wrong certificate presented.
> I solved this for my servers by disabling SSLv3. It was a minor problem when I
> did this but it is almost no problem today.
> 
> You will lock out IE6 users on Windows XP. However even people who use
> Windows XP+IE and installed their updates have TLS 1.0 support.
> I also encountered a small number of people who had manually disabled TLS
> 1.0 in firefox for unknown reasons. However this was a few years ago.
> Current Firefox versions make it harder to do this. I assume the reason was
> that they thought "v3 sound newer than v1.0".
> 
> A number of people already recommend disabling SSLv3, e.g. the Qualys
> configuration guide. Disable it now - no matter if the rumors about a serious
> vuln are true, you'll be safe.
> 
> BR - Sona