Our PasswordManager Pro 7.0 application installation flunks the POODLE vulnerability test (successfully handshakes with SSL3 protocol). I used the:
openssl s_client -state -nbio -no_ign_eof -connect <host>:443 -ssl3
test to validate that SSL3 handshake was successfully negotiated:
openssl s_client -state -nbio -no_ign_eof -connect <server>:443 -ssl3
Loading 'screen' into random state - done
CONNECTED(00000134)
turning on non blocking io
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:error in SSLv3 read server hello A
write R BLOCK
SSL_connect:SSLv3 read server hello A
.... redacted....
---
SSL handshake has read 3616 bytes and written 276 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : EDH-RSA-DES-CBC3-SHA
....
....
Is there a place where we can configure the webserver to ignore SSL3?
Will a patch be issued to disable SSL3?
Thanks