Protecting Against Vulnerabilities in SSL

1 min read

The IETF deprecated SSL version 3.0 in 2015. This means that it is no longer be standard to fall back to SSL 3.0 in protocol negotiations, and for good reason: there have been a host of vulnerabilities in Secure Socket Layer, some of which are of particular concern to home networking devices that have web-based configuration tools or support TR-069 .

We hadn’t brought up the POODLE vulnerability before, but it, along with other vulnerabilities found in older versions of SSL and TLS, can be exploited even if your DUT is using the most recent versions of these protocols. This happens when an attacker forces a connection failure that tricks the DUT into negotiating to an older (and vulnerable) version of the protocol.

With this deprecation, it is a protocol violation to fall back to this vulnerable version. You can test that your devices do not fall back to older versions by using CDRouter’s ssl.tcl test module, which tests that a DUT will refuse connections with both deprecated SSL protocols and deprecated cypher suites.

To enable this, you can add SSLv3 to the [sslDeprecatedProtocols]( testvar before running these tests, for example:

sslDeprecatedProtocols "sslv2 sslv3"

These are actually the default values, but you can see the full list of deprecated protocols available to test here.