Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL Poodle

smicker_
Occasional Contributor
‎10-14-2014 05:31:PM
‎10-14-2014 05:31:PM

SSL Poodle

New SSL exploit: http://betanews.com/2014/10/14/security-alert-google-drops-ssl-3-0-after-poodle-attack-discovery/

 

IVE has the option to disable SSL3: Configurations->Security->SSL Options

 

Does anyone know of an official Juniper response yet?

0 Kudos
16 REPLIES 16
ruc_
Regular Contributor
‎10-14-2014 10:53:PM
‎10-14-2014 10:53:PM

Re: SSL Poodle

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=S:TSB16540

0 Kudos
CaseyH_
Contributor
‎10-15-2014 07:49:AM
‎10-15-2014 07:49:AM

Re: SSL Poodle

ok, so Juniper is telling us to just turn off SSLv3:

         From the admin GUI navigate to System > Configuration > Security and under the section Allowed SSL and TLS            VersionÓ select the first option Accept only TLSÓ. This setting will ensure that SSLv3 is disabled on the server-side and any SSL connections from clients that attempt to use SSLv3 will be terminated.

 

 

My question is what's the impact of turning off SSLv3 in regards to OS/Browser compatibility?

 

 

 

 

 

 

 

0 Kudos
-red-_
Frequent Contributor
‎10-15-2014 07:58:AM
‎10-15-2014 07:58:AM

Re: SSL Poodle

This may help.

 

http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers

0 Kudos
Kita_
Valued Contributor
‎10-15-2014 08:05:AM
‎10-15-2014 08:05:AM

Re: SSL Poodle

I did some digging last night and the last version that I could find using SSLv3 (by default) is Windows XP with IE6.  If end users are using the latest browsers and operating systems, there should cause no or little effect to end users unless end user have manually disable TLS 1.2, 1.1 and 1.0 in their browsers.

0 Kudos
CaseyH_
Contributor
‎10-15-2014 08:16:AM
‎10-15-2014 08:16:AM

Re: SSL Poodle

I read the same, but also read that XP and Vista only support TLS 1.0 (which has it's own demons out there.. namely BEAST).  Which is more so what I'm trying to wrap my head around.  It looks like I just have to pick the lesser of two evils.

 

The problem I'm facing is that I'm in the middle of migrating my clients from a SA2000 cluster (7.1R17, build 28099) to a MAG2600 cluster (8.0R4.1, build 31475).  

The 7.1R17 code only runs TLS 1.0 if you disable SSLv3.

The 8.0R4.1 uses TLS 1.0, 1.1 & 1.2

 

So I've got to deal with both sides of that and make sure my people will work.

 

I understand I can disable SSLv3 on both boxes.. .but it still leaves the older box with only TLS 1.0 to use.

 

Ahh... if I could only get the team to move their darn people over quicker.

 

 

 

 

0 Kudos
tech_dude_
Contributor
‎10-15-2014 09:16:AM
‎10-15-2014 09:16:AM

Re: SSL Poodle

has anyone done this? Does it actually restart the web server and kick everyone off?

0 Kudos
CaseyH_
Contributor
‎10-15-2014 09:26:AM
‎10-15-2014 09:26:AM

Re: SSL Poodle

I made the change in the older box (7.1R17 code) and it didn't kick the 2 people that were logged in.

 

 

0 Kudos
Kita_
Valued Contributor
‎10-15-2014 09:27:AM
‎10-15-2014 09:27:AM

Re: SSL Poodle

The web server will restart which means tcp connections will be closed.  Core access users will probably not see any issues, but any SAM / NC / Pulse users will see the application disconnect and reconnect back to the SA/MAG device.

0 Kudos
tech_dude_
Contributor
‎10-15-2014 12:31:PM
‎10-15-2014 12:31:PM

Re: SSL Poodle

On my 6500 cluster, I have IVS running.

 

I can change it in the root, but even though I am admin, I can't change it in either of my virtual systems. 

 

Any idea why? is it a concern?

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.