Stack Overflow
Stack Overflow

Questions tagged [poodle-attack]

The POODLE (short for "Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of web browsers' fallback to SSL 3.0.

The POODLE (short for "Padding Oracle On Downgraded Legacy Encryption") attack is a man-in-the-middle exploit which takes advantage of web s' fallback to 3.0 which was disclosed on September 2014.

Its CVE ID is CVE-2014-3566.

74 questions
95
votes
16 answers

The client and server cannot communicate, because they do not possess a common algorithm - ASP.NET C# VB Visual Basic IIS TLS 1.0 / 1.1 / 1.2

I have an issue with a C# PayTrace Gateway. The below code was working fine until yesterday when I believe they turned off SSL3 due to the Poodle Exploit. When running the code below we got the following message. The remote server has forcefully…
TroySteven
  • 4,885
  • 4
  • 32
  • 50
82
votes
3 answers

Which versions of SSL/TLS does System.Net.WebRequest support?

Now that SSL 3 has been found to be vulnerable to the POODLE attack: Which versions of SSL/TLS does System.Net.WebRequest use when connecting to any https Uri? I use WebRequest to connect to several 3rd party API's. One of these has now said they…
JK.
  • 21,477
  • 35
  • 135
  • 214
20
votes
1 answer

Will SSLContext.getInstance("TLS") supports TLS v1.1 and TLS v1.2 also?

In my java Code i am creating one instance of SSL Context using command SSLContext ctx = SSLContext.getInstance("TLS"); But in my tomcat server i am setting TLSv1.2 and i am getting handshake error. How we can support all the TLS protocols using…
mahan07
  • 887
  • 4
  • 14
  • 32
19
votes
8 answers

How to disable SSLv3 in android for HttpsUrlConnection?

We wrote client application in android which connects with https servers using HttpsUrlConnection apis. Due to Poodle vulnerability, we need to disable SSLv3 from the list of enabled protocols while invoking any request. We followed the guidelines…
user1375399
  • 223
  • 1
  • 2
  • 7
16
votes
6 answers

Disable SSL as a protocol in HttpsURLConnection

Due to the POODLE vulnerability, my server, hosted in Amazon AWS does no longer support SSLv3. As a result, the first HTTPS connection my Android app does against the server results in an error when the connection was being established. Error…
GaRRaPeTa
  • 5,459
  • 4
  • 37
  • 61
16
votes
4 answers

Java http clients and POODLE

Regarding the POODLE vulnerability, if I understand it correctly, it requires a client that automatically downgrades TLS protocol to SSLv3 when failing to establish a secure channel with a server using higher version protocol advertised by the…
ykaganovich
  • 14,736
  • 8
  • 59
  • 96
14
votes
4 answers

How to enable SSL 3 in Java

Since Java 8 Update 31 the SSL 3 protocol is disabled by default due to security flaws in the SSL Protocol (see POODLE attack). Even if not recommended, how can it be enabled?
Evandro Pomatti
  • 13,341
  • 16
  • 97
  • 165
9
votes
1 answer

C# Enforcing HttpWebRequest to use Tls12 instead of SSLv3

I have App that makes use of some web service and acquire data via JSON, all was working fine for quite long time, up until latest discoveries about SSLv3 being vulnerable to man-in-the-middle attacks and server owners turning off SSLv3 for good. My…
MoreThanChaos
  • 2,054
  • 5
  • 20
  • 40
7
votes
4 answers

Is it possible to disable SSLv3 for all Java applications?

Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections. Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer…
Robert
  • 39,162
  • 17
  • 99
  • 152
6
votes
1 answer

How would i support multiple version of TLS on client side?

Hi I want to support multiple version's of TLS using SSLV23 method on client side.But I am not able to connect getting error : SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Can anyone please tell me how would i support multiple version of…
mahan07
  • 887
  • 4
  • 14
  • 32
5
votes
2 answers

What version of SSL/TLS does System.Web.Services.Protocols.SoapHttpClientProtocol use?

Now that SSL 3 has been found to be vulnerable to the POODLE attack: What version of SSL/TLS does System.Web.Services.Protocols.SoapHttpClientProtocol use when connecting to any https Uri? I use SoapHttpClientProtocol to connect to several 3rd party…
JK.
  • 21,477
  • 35
  • 135
  • 214
4
votes
2 answers

Intermittent SSL/TLS error using Azure SDK in Azure Website

I have an ASP.NET MVC website running .NET 4.5 in an Azure Website and I keep getting this error trying to retrieve or upload assets into Azure Blob Storage using the Azure SDK (version 4.3.0). The request was aborted: Could not create SSL/TLS…
Austin
  • 4,638
  • 7
  • 41
  • 60
4
votes
1 answer

Change ssl version with Net::HTTP and Ruby 1.8.7

One of my legacy Ruby application still uses Ruby 1.8.7. It makes a lot of HTTP requests on third-party web services and some of them are over SSL. Those third-party services are dropping their support of SSLv3 as of the POODLE vulnerability and I'd…
jlecour
  • 2,905
  • 1
  • 25
  • 24
4
votes
1 answer

POODLE and efficiency of proposed TLS_FALLBACK_SCSV flag

Based on Recommendations in the original research: https://www.openssl.org/~bodo/ssl-poodle.pdf If man-in-the-middle (MITM) intercepts communication, assuming client's "Hello" with ciphers propagates in clear, what would preclude MITM from removing…
wick
  • 1,995
  • 2
  • 20
  • 31
4
votes
1 answer

Dropwizard TLS and SSL: deactivate SSLv3

Does someone know how to deactivate SSLv3? Does someone know if DW supports SSLv3 or how I can check what is supported by DW 0.7.1?
user3280180
  • 1,393
  • 1
  • 11
  • 27
1
2 3 4 5