Post by Tim ZielkeSince SSL v3 is no longer supported, the security community has basically âpulled the plugâ on SSL v3.
About time. SSL v3 has other known vulns, but apparently this one we care about. There's an easy test for it so fair enough. Incidentally, as you are looking for alternate ciphers, keep in mind that MD5 is also broken and CBC has some known issues. If I had to pick one, I'd take CBC over MD5 in a heartbeat though.
The SSL Labs site Peter points to is great. I frequently point people at it. And while you are busy testing, take a look at http://checktls.com where they test your company's SMTP (email) server. As bad as HTTPS is, email is 100 times worse. Half the time the servers are set up to accept plaintext connections if the encrypted ones fail and the encryption is often SSL at best. But nobody sees the SMTP servers or deals with mail transfer at the back end other than admins. Instead of encryption they have a kludge of putting authentication info into DNS records but it's hardly what you'd call secure. Wouldn't it be cool if CheckTLS.com went viral and half the net started asking their companies and ISPs why email was so bad?
Kind regards,
-- T.Rob
T.Robert Wyatt, Managing partner
IoPT Consulting, LLC
+1 704-443-TROB (8762) Voice/Text
+44 (0) 8714 089 546 Voice
https://ioptconsulting.com <https://ioptconsulting.com/>
https://twitter.com/tdotrob
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Tim Zielke
Sent: Wednesday, October 22, 2014 9:43 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack
My understanding is that any cipher that uses the TLS protocol would remediate POODLE. I used the MQ v8 manual which lists what protocol (i.e. SSL v3, TLS 1.0, TLS 1.2) the cipher is using -> http://www-01.ibm.com/support/knowledgecenter/#!/SSFKSJ_8.0.0/com.ibm.mq.sec.doc/q014260_copy.htm.
As Isvtan mentioned, it would be better to also choose a TLS cipher that is also FIPS compliant. The IBM MQ security bulletin for POODLE tells you which TLS ciphers are not FIPS compliant -> http://www-01.ibm.com/support/docview.wss?uid=swg21687433 <http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E> &myns=swgws&mynp=OCSSFKSJ&mync=E
This is my understanding of POODLE based on the research I have done. POODLE (Padding Oracle on Downgraded Legacy Encryption) is a new security vulnerability on SSL v3. Padding Oracle is the method to do the security breach. Downgraded Legacy Encryption is SSL v3. Since SSL v3 is no longer supported, the security community has basically âpulled the plugâ on SSL v3.
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of David Awerbuch (BLOOMBERG/ 120 PARK)
Sent: Wednesday, October 22, 2014 8:22 AM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack
Is there a definitive list of the TLS cipherspecs?
We are running 7.5 mgrs, our connection partners are running server 8.0, 7.5, 7.1, 7.0, and a few are still at 6.0.
Customer client verions are across the spectrum.
Thanks.
Dave
----- Original Message -----
From: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
At: Oct 21 2014 21:01:14
It looks like POODLE has caused the security community to put the fork in SSL. We just have TLS from here on out, for âsecureâ MQ ciphers.
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of dhornby5-***@public.gmane.org
Sent: Tuesday, October 21, 2014 6:34 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack
yes, AFAIK you just need to use a TLS cipherspec
_____
From: "Peter M Potkay (CTO Architecture + Engineering)" <Peter.Potkay-***@public.gmane.org>
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Sent: Tuesday, October 21, 2014 5:19:41 PM
Subject: Re: IBM MQ, SSL and the PODLE Attack
Would it be accurate to sayâŠIf your QM is running with SSLFIPS(YES) you are not vulnerable to POODLE, but you do not necessarily need to be SSL FIPS compliant to remediate the POODLE attack.
Peter Potkay
From: MQSeries List [mailto:MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org] On Behalf Of Neil Casey
Sent: Tuesday, October 21, 2014 4:58 PM
To: MQSERIES-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org
Subject: Re: IBM MQ, SSL and the PODLE Attack
Hi,
thanks for your work, and for publishing the results.
I would just like to ask⊠what was the cipher spec defined in the channel?
Successfully establishing an MQ channel requires more than just the SSL session. The negotiated cipher has to match the SSLCIPH value too.
Regards,
Neil Casey.
On 22 Oct 2014, at 4:48 am, Istvan M. <ipl873-8a+***@public.gmane.org> wrote:
Hello List,
just tested on Linux with a small script provided by RedHat.
QMNAME(QM1V701) SSLFIPS(NO)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 <http://127.0.0.1:1414/> - Vulnerable! SSLv3 connection established using SSLv3/AES128-SHA
QMNAME(QM1V701) SSLFIPS(YES)
-bash-4.1$ ./poodle.sh
127.0.0.1:1414 <http://127.0.0.1:1414/> - Not vulnerable. Failed to establish SSLv3 connection.
poodle.sh: https://access.redhat.com/articles/1232123 at "attachments"
So enabling FIPS mode really solves this vulnerability.
On Mon, Oct 20, 2014 at 8:23 PM, Istvan M. <ipl873-***@public.gmane.org> wrote:
Hello List,
I've been waiting for this technote, really, we suspected that enabling SSLFIPS with a good cipher (TLS_RSA_WITH_AES_256_CBC_SHA for example, good for distributed, Z and i platforms) will eliminate this problem.
Now it's official. Tomorrow I'll test it. I assume Broker is also affected (seems no exceptions, everything is affected if it uses SSLv3).
On Mon, Oct 20, 2014 at 6:46 PM, Potkay, Peter M (CTO Architecture + Engineering) <Peter.Potkay-***@public.gmane.org> wrote:
This just came out from IBM on how MQ is impacted by POODLE:
http://www-01.ibm.com/support/docview.wss?uid=swg21687433 <http://www-01.ibm.com/support/docview.wss?uid=swg21687433&myns=swgws&mynp=OCSSFKSJ&mync=E> &myns=swgws&mynp=OCSSFKSJ&mync=E
Still waiting for the WMB TechNote on POODLE.
Peter Potkay
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
--
Ãdvözlettel / Best regards,
Melich István / Istvan Melich
--
Best regards / Ãdvözlettel,
MELICH, István
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
<< "Once the game is over, the king and the pawn go back into the same box." - Anon >>
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
_____
List Archive <http://listserv.meduniwien.ac.at/archives/mqser-l.html> - Manage Your List Settings <http://listserv.meduniwien.ac.at/cgi-bin/wa?SUBED1=mqser-l&A=1> - Unsubscribe <mailto:LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org?subject=Unsubscribe&BODY=signoff%20mqseries>
Instructions for managing your mailing list subscription are provided in the Listserv General Users Guide available at http://www.lsoft.com <http://www.lsoft.com/resources/manuals.asp>
To unsubscribe, write to LISTSERV-0lvw86wZMd9k/bWDasg6f+***@public.gmane.org and,
in the message body (not the subject), write: SIGNOFF MQSERIES
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://listserv.meduniwien.ac.at/archives/mqser-l.html