[SR-Users] Susceptibility to POODLE Vulnerability?
Rainer Piper
rainer.piper at soho-piper.de
Tue Oct 21 08:13:15 CEST 2014
Am 21.10.2014 um 08:01 schrieb Rainer Piper:
> Hi all,
>
> is it possible to add in
> http://kamailio.org/docs/modules/4.2.x/modules/tls.html
> under the line
> >
>
>
> 9.1. |tls_method| (string)
>
> ...
> ...
>
> If rfc3261 conformance is desired, TLSv1 must be used. For
> compatibility with older clients SSLv23 is a good option.
>
> *Example 1.3. Set |tls_method| parameter*
>
> ...
> modparam("tls", "tls_method", "TLSv1")
> ...
> <
>
>
> !!! *a warning **that the use of SSLv3 **susceptibility to POODLE
> Vulnerability* !!!
>
>
> --
> *Rainer Piper*
> Integration engineer
> Koeslinstr. 56
> 53123 BONN
> GERMANY
> Phone: +49 228 97167161
> P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
> XMPP: rainer at xmpp.soho-piper.de
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
more informations about SSLv3 POODLE attack
SSL 3 is dead, killed by the POODLE attack
<https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack>
Gepostet von Ivan Ristic <https://community.qualys.com/people/ivanr> in
Security Labs <https://community.qualys.com/blogs/securitylabs> am
15.10.2014 12:06:32
The POODLE Attack (CVE-2014-3566)
After more than a week of persistent rumours, yesterday (Oct 14) we
finally learned about the new SSL 3 vulnerability everyone was afraid
of. The so-called POODLE attack
<http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html>
is a problem in the CBC encryption scheme as implemented in the SSL 3
protocol. (Other protocols are not vulnerable because this area had been
strengthened in TLS 1.0.) Conceptually, the vulnerability is very
similar to the 2011 BEAST exploit. In order to successfully exploit
POODLE the attacker must be able to inject malicious JavaScript into the
victim's browser and also be able to observe and manipulate encrypted
network traffic on the wire. As far as MITM attacks go, this one is
complicated, but easier to execute than BEAST because it doesn't require
any special browser plugins. If you care to learn the details, you can
find them in the short paper
<https://www.openssl.org/%7Ebodo/ssl-poodle.pdf> or in Adam Langley's
blog post <https://www.imperialviolet.org/2014/10/14/poodle.html>.
read more at source ->
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer at sip.soho-piper.de:5072 (pjsip-test)
XMPP: rainer at xmpp.soho-piper.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20141021/017d5ccc/attachment.html>
More information about the sr-users
mailing list