These are old archives. They are kept for historic purposes only.
- Posts: 9
- Joined: Fri Mar 06, 2009 3:12 am
POODLE: http://googleonlinesecurity.blogspot.co ... sl-30.html
I believe Unreal IRCd is vulnerable because SSLv3 is supported. The fix is to disable SSLv3 and just use TLS 1+. Is this possible (22.214.171.124)?
Test with -
Code: Select all
$ echo | openssl s_client -connect irc.unrealircd.com:6697 -ssl3 2>&1 | grep New
New, TLSv1/SSLv3, Cipher is AES256-SHA
# Successful SSL connection ^
$ echo | openssl s_client -connect irc.unrealircd.com:6697 -ssl2 2>&1 | grep New
New, (NONE), Cipher is (NONE)
# Unsuccessful (SSLv2 is not supported, which is good) ^
-tls1 is also a switch
- UnrealIRCd head coder
- Posts: 1961
- Joined: Sat Mar 06, 2004 8:57 pm
- Location: .nl
The good news is that the POODLE attack does not apply to IRC. It's not feasible.
Why? Two things: 1) It requires a high amount of reconnects, and 2) It requires chosen plaintext messages, in other words: the attacker must be able to choose what gets sent over the SSL/TLS connection.
For IRC that's not the case. Chosen plaintext doesn't happen, the only case I could think of would be irc:// links from a browser but that will always prompt the user (plus.. how useful is that). And the high amount of reconnects is countered as well: all UnrealIRCd installations that use the default configuration file have throttling in place which limits you to 3 connections per second, that's really slow.
That being said, I think it's wise to add an option in a future version to control which SSL/TLS protocol is enabled. Similar to the cipher list. That way you can (more) easily disable the old SSL3 protocol.