SSLv3 POODLE vulnerability

Post by **mark** » Wed Oct 15, 2014 10:11 am

There is a security vulnerability in SSLv3 with the name "POODLE" that can affect Thunderstone Search Appliances as well as any browser or server using SSL protocols. See CVE-2014-3566.

If you're using https services on your Thunderstone Search appliance you should go to "HTTPS/SSL Protocols" under "System Wide Settings" and uncheck SSLv3 (and SSLv2 if it's not already unchecked). Make sure TLSv1 is checked. Then click "Update".

Disabling SSLv3 may prevent https access by MS IE 6.

Note that system level admin is done via https so, unless you've firewalled that, you're using https services.

Post by **Kai** » Wed Oct 15, 2014 10:59 am

All existing profiles should also have SSLv2 and SSLv3 unchecked (and TLSv1 checked) under All Walk Settings -> SSL Client Protocols, then click "Update".

Also make sure to do this for every new profile created (until Thunderstone issues a texisScripts update to do this by default, which will happen shortly). Or create your own default profile, uncheck SSLv2/SSLv3, and only create new profiles as a copy of that profile (or a copy of others with SSLv2/SSLv3 unchecked).

Turning off SSLv2/SSLv3 may affect the ability for profiles to walk HTTPS sites, depending on the protocol support in those sites' servers.