EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Changes for POODLE no longer effective

Also by EldoS: CallbackFilter
A component to monitor and control disk activity, track file and directory operations (create, read, write, rename etc.), alter file data, encrypt files, create virtual files.
#35220
Posted: 12/12/2015 14:07:29
by Tim Frost (Standard support level)
Joined: 07/20/2007
Posts: 17

We followed the advice in your POODLE article a year ago (https://www.eldos.com/security/articles/8106.php), but it seems that a recent change at Microsoft prevents it working when logging in to send mail to outlook.com.

Formerly, we used TLS only initially, with a fallback to all allowable settings, as you recommended. If we start now with all allowable versions, Wireshark shows that SSLv2 and TLS are used and the auth login on port 587 is successful. But if we start with only TLS, the second attempt to connect now also fails. I don't understand enough to know why you document that SSLv2 and TLS cannot be selected unless SSLv3 is also selected, though if this were possible it might work.

Does your POODLE article last year need to be updated, and what are the downsides of logging in to outlook.com with SSLv3 enabled along with SSLv2 and TLS? For the moment we have enabled a special override for outlook.com.
#35221
Posted: 12/14/2015 01:51:49
by Ken Ivanov (EldoS Corp.)

Hi Tim,

Thank you for contacting us.

Could you please provide us some more details about the problem, particularly by specifying the exact TLS versions that you enable or disable, as difference between different TLS versions (e.g. TLS 1.0 and TLS 1.2) is drastic.

Besides, it would be great if you also clarify the following:

Quote
If we start now with all allowable versions, Wireshark shows that SSLv2 and TLS are used and the auth login on port 587 is successful.

Do I understand you right that even though you set Versions to sbSSL2 | sbSSL3 | sbTLS1 | sbTLS11 | sbTLS12, Wireshark shows that the client hello packet only requests SSLv2 and TLSv1.0? If so, could you please post either the .pcap file (forum won't accept it so you will need to do that through Helpdesk), or a screen capture of the breakdown of the packet (just fine to post in the forum)?

Quote
But if we start with only TLS, the second attempt to connect now also fails.

I am not sure if I understand this scenario right, sorry. Do you mean that the first attempt (TLSv1.0-only) fails either? What exactly set of versions are you using for the second attempt here?

Quote
I don't understand enough to know why you document that SSLv2 and TLS cannot be selected unless SSLv3 is also selected, though if this were possible it might work.

Enabling SSLv2 and TLS without enabling SSLv3.0 is not possible in principle due to limitations of the protocol. Basically, when sending out its hello message, the client provides the highest and the lowest protocol versions it supports. Any version between the highest and the lowest is implicitly assumed to be also supported.

Quote
Does your POODLE article last year need to be updated, and what are the downsides of logging in to outlook.com with SSLv3 enabled along with SSLv2 and TLS?

We are going to review it shortly, thank you for the suggestion. The described technique is unlikely to change though (so the changes might be specific to the exact versions referenced). What you should take special care of is that protocols SSLv2.0 to TLSv1.0 are stopping being any reasonably good practice next summer (with SSLv2.0 having stopped being it years ago), so you might consider preparing your software for TLSv1.1 and TLSv1.2 scenarios only.

By the way, did you actually try connecting to outlook.com with TLSv1.2 version enabled only? I remember it worked for me in that mode some time ago.

Ken
#35224
Posted: 12/14/2015 07:27:32
by Tim Frost (Standard support level)
Joined: 07/20/2007
Posts: 17

Thanks for the explanations: I have responded in ticket 28959 and uploaded PCAP files.

Reply

Statistics

Topic viewed 1801 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!