Discussion:
[SR-Users] Susceptibility to POODLE Vulnerability?
Rainer Piper
2014-10-21 06:01:37 UTC
Permalink
Hi all,

is it possible to add in
http://kamailio.org/docs/modules/4.2.x/modules/tls.html
under the line
9.1. |tls_method| (string)

...
...

If rfc3261 conformance is desired, TLSv1 must be used. For compatibility
with older clients SSLv23 is a good option.

*Example 1.3. Set |tls_method| parameter*

...
modparam("tls", "tls_method", "TLSv1")
...

<


!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer-fwazL+***@public.gmane.org:5072 (pjsip-test)
XMPP: rainer-gm1cXc+Wa7vhPBOlVbd/***@public.gmane.org
Rainer Piper
2014-10-21 06:13:15 UTC
Permalink
Post by Rainer Piper
Hi all,
is it possible to add in
http://kamailio.org/docs/modules/4.2.x/modules/tls.html
under the line
9.1. |tls_method| (string)
...
...
If rfc3261 conformance is desired, TLSv1 must be used. For
compatibility with older clients SSLv23 is a good option.
*Example 1.3. Set |tls_method| parameter*
...
modparam("tls", "tls_method", "TLSv1")
...
<
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
more informations about SSLv3 POODLE attack


SSL 3 is dead, killed by the POODLE attack
<https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack>

Gepostet von Ivan Ristic <https://community.qualys.com/people/ivanr> in
Security Labs <https://community.qualys.com/blogs/securitylabs> am
15.10.2014 12:06:32

The POODLE Attack (CVE-2014-3566)

After more than a week of persistent rumours, yesterday (Oct 14) we
finally learned about the new SSL 3 vulnerability everyone was afraid
of. The so-called POODLE attack
<http://googleonlinesecurity.blogspot.com.au/2014/10/this-poodle-bites-exploiting-ssl-30.html>
is a problem in the CBC encryption scheme as implemented in the SSL 3
protocol. (Other protocols are not vulnerable because this area had been
strengthened in TLS 1.0.) Conceptually, the vulnerability is very
similar to the 2011 BEAST exploit. In order to successfully exploit
POODLE the attacker must be able to inject malicious JavaScript into the
victim's browser and also be able to observe and manipulate encrypted
network traffic on the wire. As far as MITM attacks go, this one is
complicated, but easier to execute than BEAST because it doesn't require
any special browser plugins. If you care to learn the details, you can
find them in the short paper
<https://www.openssl.org/%7Ebodo/ssl-poodle.pdf> or in Adam Langley's
blog post <https://www.imperialviolet.org/2014/10/14/poodle.html>.


read more at source ->
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer-fwazL+***@public.gmane.org:5072 (pjsip-test)
XMPP: rainer-gm1cXc+Wa7vhPBOlVbd/***@public.gmane.org
Olle E Johansson
2014-10-21 06:20:34 UTC
Permalink
Post by Rainer Piper
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in
danger from a Poodle attack. Even so, we are not enabling SSL by
default, only enabling TLS. All versions of SSL are too old to be
secure. We can not add a warning text for every possible attack,
but have published information on twitter, facebook, G+ and
on the mailing lists.

Are we aware of any phones or SIP servers that only supports SSLv3
and have no support of TLS?

/O
Rainer Piper
2014-10-21 06:30:20 UTC
Permalink
Post by Olle E Johansson
Post by Rainer Piper
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in
danger from a Poodle attack. Even so, we are not enabling SSL by
default, only enabling TLS. All versions of SSL are too old to be
secure. We can not add a warning text for every possible attack,
but have published information on twitter, facebook, G+ and
on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3
and have no support of TLS?
/O
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
asterisk just published a security warning

source: http://downloads.asterisk.org/pub/security/AST-2014-011.html

you have to force asterisk to do TLSv1
the defaults settings allowing a SSLv3/SSLv2 fallback.
--
*Rainer Piper*
Integration engineer
Koeslinstr. 56
53123 BONN
GERMANY
Phone: +49 228 97167161
P2P: sip:rainer-fwazL+***@public.gmane.org:5072 (pjsip-test)
XMPP: rainer-gm1cXc+Wa7vhPBOlVbd/***@public.gmane.org
Olle E Johansson
2014-10-21 06:34:29 UTC
Permalink
Post by Rainer Piper
Post by Olle E Johansson
Post by Rainer Piper
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in
danger from a Poodle attack. Even so, we are not enabling SSL by
default, only enabling TLS. All versions of SSL are too old to be
secure. We can not add a warning text for every possible attack,
but have published information on twitter, facebook, G+ and
on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3
and have no support of TLS?
/O
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1
the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same as
what Kamailio does if you check the default configuration.

As a second step we will have to modify our defaults in the code (like
Asterisk).

/O
Daniel-Constantin Mierla
2014-10-21 14:34:43 UTC
Permalink
As we had a note about sslv2 not being recommended when security is
wanted, I put the same note for sslv3. It could be useful for new comers
in the field.

Cheers,
Daniel
Post by Olle E Johansson
Post by Rainer Piper
Post by Olle E Johansson
Post by Rainer Piper
!!! *a warning **that the use of SSLv3 **susceptibility to POODLE
Vulnerability* !!!
Well, since Poodle requires a web browser and java script we're not in
danger from a Poodle attack. Even so, we are not enabling SSL by
default, only enabling TLS. All versions of SSL are too old to be
secure. We can not add a warning text for every possible attack,
but have published information on twitter, facebook, G+ and
on the mailing lists.
Are we aware of any phones or SIP servers that only supports SSLv3
and have no support of TLS?
/O
source: http://downloads.asterisk.org/pub/security/AST-2014-011.html
you have to force asterisk to do TLSv1
the defaults settings allowing a SSLv3/SSLv2 fallback.
Yes, I am aware of that (and took part in the process). It's the same
as what Kamailio does if you check the default configuration.
As a second step we will have to modify our defaults in the code (like
Asterisk).
/O
_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda
Loading...