SDI Logo

Over Thirty Years of Software Innovation...     

Home | Products | Contact | Links | About SDI

TN3270 Plus POODLE Security Alert


POODLE Vulnerability in SSL 3.0

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a vulnerability in Secure Socket Layer (SSL) version 3.0. The POODLE attack can be used against any system or application that supports SSL version 3.0 with cipher-block chaining (CBC) mode ciphers. There is currently no fix for the vulnerability in SSL version 3.0 itself as the issue is fundamental to the protocol. It is recommended that all SSL version 3.0 users convert to TLS.

The POODLE attack can also be used against TLS by forcing a downgrade to SSL 3.0 in the TLS handshake. TN3270 Plus does not request or accept a downgrade from TLS to SSL 3.0 in the TLS handshake, so a TN3270 Plus TLS encryption selection cannot be compromised by trying to force a downgrade to SSL 3.0.

More information about the POODLE Vulnerability can be found on the following web sites.

https://www.us-cert.gov/ncas/alerts/TA14-290A

https://www.openssl.org/~bodo/ssl-poodle.pdf

Affected TN3270 Plus Versions

Since this vulnerability is inherent it the SSL version 3.0 protocol it affects all TN3270 Plus systems that use SSLv3.

The TN3270 Plus Release 3.7.4 SSL feature includes support for SSL Version 2, SSL Version 3, TLS version 1, TLS version 1.1 and TLS version 1.2

The TN3270 Plus Release 4.0.0 above SSL feature includes support for TLS version 1, TLS version 1.1 and TLS version 1.2 (SSLv2 and SSLv3 have been removed due to inherent security vulnerabilities.)

Recommendations for TN3270 Plus Users

If you are using SSL version 2.0 or SSL version 3.0, convert to TLS version 1, 1.1 or 1.2 (Setup, Security, Encryption Protocol = TLSv1, TLSv1.1 or TLSv1.2) . This may require an update to software on the host computer to support TLS. TLS versions 1.1 and 1.2 are supported in TN3270 Plus release 3.7.4 and above.

If you must use SSL because the host computer does not support TLS, we recommend you use a cipher that does not use cipher-block chaining (CBC) mode. You can use the TN3270 Plus Cipher Selection dialog box (Setup, Security, Ciphers button, "Remove all CBC ciphers" button) to remove all CBC mode ciphers from the Selected Ciphers list. As long as the host computer supports one of the remaining ciphers you will be able to create an SSL connection. Cipher Selection for SSLv3 is included in TN3270 Plus release 3.7.4. TN3270 Plus 4.0.0 and above do not support SSLv2 and SSLv3.



Home | Products | Contact | Links | About SDI