cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Poodle

Occasional Contributor

SSL Poodle

New SSL exploit: http://betanews.com/2014/10/14/security-alert-google-drops-ssl-3-0-after-poodle-attack-discovery/

 

IVE has the option to disable SSL3: Configurations->Security->SSL Options

 

Does anyone know of an official Juniper response yet?

16 REPLIES
Highlighted
Regular Contributor
Contributor

Re: SSL Poodle

ok, so Juniper is telling us to just turn off SSLv3:

         From the admin GUI navigate to System > Configuration > Security and under the section Allowed SSL and TLS            VersionÓ select the first option Accept only TLSÓ. This setting will ensure that SSLv3 is disabled on the server-side and any SSL connections from clients that attempt to use SSLv3 will be terminated.

 

 

My question is what's the impact of turning off SSLv3 in regards to OS/Browser compatibility?

 

 

 

 

 

 

 

Frequent Contributor

Re: SSL Poodle

Valued Contributor

Re: SSL Poodle

I did some digging last night and the last version that I could find using SSLv3 (by default) is Windows XP with IE6.  If end users are using the latest browsers and operating systems, there should cause no or little effect to end users unless end user have manually disable TLS 1.2, 1.1 and 1.0 in their browsers.

Contributor

Re: SSL Poodle

I read the same, but also read that XP and Vista only support TLS 1.0 (which has it's own demons out there.. namely BEAST).  Which is more so what I'm trying to wrap my head around.  It looks like I just have to pick the lesser of two evils.

 

The problem I'm facing is that I'm in the middle of migrating my clients from a SA2000 cluster (7.1R17, build 28099) to a MAG2600 cluster (8.0R4.1, build 31475).  

The 7.1R17 code only runs TLS 1.0 if you disable SSLv3.

The 8.0R4.1 uses TLS 1.0, 1.1 & 1.2

 

So I've got to deal with both sides of that and make sure my people will work.

 

I understand I can disable SSLv3 on both boxes.. .but it still leaves the older box with only TLS 1.0 to use.

 

Ahh... if I could only get the team to move their darn people over quicker.

 

 

 

 

Contributor

Re: SSL Poodle

has anyone done this? Does it actually restart the web server and kick everyone off?

Contributor

Re: SSL Poodle

I made the change in the older box (7.1R17 code) and it didn't kick the 2 people that were logged in.

 

 

Valued Contributor

Re: SSL Poodle

The web server will restart which means tcp connections will be closed.  Core access users will probably not see any issues, but any SAM / NC / Pulse users will see the application disconnect and reconnect back to the SA/MAG device.

Contributor

Re: SSL Poodle

On my 6500 cluster, I have IVS running.

 

I can change it in the root, but even though I am admin, I can't change it in either of my virtual systems. 

 

Any idea why? is it a concern?