Ssl Tls Server Accepts Sslv3 Connections
Description
Detects if a web server accepts SSLv3 connections, which is a deprecated and insecure protocol version. SSLv3 has critical vulnerabilities like POODLE that allow attackers to decrypt encrypted communications. Any server accepting SSLv3 connections is exposing users to significant security risks.
Detection Strategy
• A vulnerability is reported when the server accepts a SSLv3 client hello message and responds with a valid SSL handshake
• The detector attempts to establish an SSLv3 connection by sending a client hello offering multiple cipher suites
• The server must respond with a valid SSL handshake message indicating SSLv3 is supported
• The test fails securely if no connection can be established to the target host/port
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.