Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby sridhar1980 » 15. December 2014 13:14

We installed XAMPP 1.7.5 on windows. To fix poodle issue we disbaled SSLv3 in the httpd-ssl.conf file using the setting "SSLProtocol All -SSLv2 -SSLv3".
But the sslv3 is not disabled. We tried moving the setting at all possible places in this file. But this is not working.

Could anyone guide us on this?
sridhar1980
 
Posts: 4
Joined: 15. December 2014 13:02
Operating System: Windows 2008 server

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby sridhar1980 » 15. January 2015 10:10

Can someone give pointers on this?
sridhar1980
 
Posts: 4
Joined: 15. December 2014 13:02
Operating System: Windows 2008 server

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby gsmith » 16. January 2015 20:59

You could try;

SSLProtocol -All +TLSv1

How do you know it's still serving via SSLv3?
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby sridhar1980 » 10. February 2015 08:19

We used some test sites like poodlescan.com to check whether SSLv3 is disabled after applying the setting.
sridhar1980
 
Posts: 4
Joined: 15. December 2014 13:02
Operating System: Windows 2008 server

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby gsmith » 10. February 2015 19:06

I'm not sure that test is accurate. It says my server is "vulnerable" but I know it's not. Try this;
https://www.ssllabs.com/ssltest

That is a much more in depth scan than anything that popped up 24 hours after Poodle was announced. You are likely vulnerable due to a TLS protocol downgrade attack however.

I have no idea what versions of Apache or OpenSSL you have since Sourceforge is in Disaster Recover Mode at this time and I cannot download it so I can also not give you any suggestions as to how to proceed. Your OpenSSL is obviously old however and probably vulnerable to more than just Poodle since there were a rash of problems discovered last year, some of which required upgrading OpenSSL.
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby gsmith » 10. February 2015 20:00

OK, Sourceforge is back. So you have Apache 2.2.21 w/ OpenSSL 1.0.0e (ouch).

Here's my suggestion:

First (important) make a backup of the files you will be replacing;
apache\bin\libeay32.dll
apache\bin\openssl.cnf
apache\bin\openssl.exe
apache\bin\ssleay32.dll
apache\modules\mod_ssl.so

Download the OpenSSL update for 2.2.29 from Apache Haus: https://www.apachehaus.com/cgi-bin/download.plx
Currently: Openssl-1.0.1l-update-2.2.29-x86.zip

Shutdown/Stop Apache.
Replace the files in your Apache with the ones in the zip file.
Start Apache.

If it fails, replace the files with the ones you made a backup of.
I guess you're simply out of luck short of updating your xampp.

This should work just fine however. Since the Apache in xampp 1.7.5 came with OpenSSL 1.0.0e, and the php included uses 0.9.8r and php is loaded as a module, you could never have used the php_openssl extension anyway. This will not change.
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Apache Webserver in XAMPP 1.7.5 - poodle fix not working

Postby sridhar1980 » 13. February 2015 13:08

Thanks for the suggestions. Let me try this and will keep you posted.
sridhar1980
 
Posts: 4
Joined: 15. December 2014 13:02
Operating System: Windows 2008 server


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 54 guests