Page 1 of 1
Poodle Vulnerability and SSTP
Posted: Thu Oct 16, 2014 12:59 pm
by kapp
Any concerns about SoftEther's implementation of SSTP and the Poodle Vulnerability with SSL 3.0/2.0 ?
thanks!
Re: Poodle Vunerability and SSTP
Posted: Fri Oct 17, 2014 2:01 am
by ziphead
Joining the question. Shall we use l2p or openvpn instead ssl ? Do we need to wait for the security update ?
Re: Poodle Vunerability and SSTP
Posted: Fri Oct 17, 2014 7:16 am
by maurer
+1
Is SoftetherVPN Vulnerable to Poodle?
Re: Poodle Vunerability and SSTP
Posted: Sat Oct 18, 2014 4:45 am
by ziphead
Poodle can be applied via "man in the middle" attack. So I hope self signed or server signed certificates will protect clients. But I didn't find how to make VPN server manager for windows use only certificates to login(not passwords).
And I'm still not sure if poodle can decrypt all the traffic passing through...
Re: Poodle Vulnerability and SSTP
Posted: Mon Oct 20, 2014 3:54 pm
by kapp
Apparently SoftEther's SSTP Server (CentOS 6.5) does accept SSLv3.
This command shows SSL3 is AOK:
openssl s_client -connect your.vpnserver.com:443 -ssl3
Is there any way to disable SSLv3 in SoftEther's implementation on a Linux server?
Re: Poodle Vulnerability and SSTP
Posted: Wed Oct 22, 2014 4:19 pm
by dnobori
Re: Poodle Vulnerability and SSTP
Posted: Thu Oct 23, 2014 2:15 pm
by kapp
This worked great. Thank you.