tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James H. H. Lampert" <jam...@touchtonecorp.com>
Subject Re: More, Re: Question about vulnerability report
Date Mon, 08 Aug 2016 18:31:04 GMT
Hmm. This is interesting.

pentest-tools.com says that neither our server nor the customer server 
is vulnerable to POODLE.

But Site24x7.com says ours IS vulnerable to POODLE. Then (when I click 
"View Result") it says it isn't. Then (when I actually run the test 
again) it once again says it is. (I haven't tested the customer site 
because results are posted on the test home page, which would compromise 
the customer's privacy.)

Some other POODLE test sites don't appear to work at all. Others say 
we're not vulerable.

Manually testing both servers with
> curl -v3 -X HEAD https://www.example.com
from a BASH session on my Mac, as per
<http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerability/>

comes back with the desired "failed handshake" message on both servers.

--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message