====== Ubuntu - SSL - Check for Poodle bug ======

The **POODLE** bug is a new bug discovered by Google in the **SSLv3** protocol. The fix is easy, disable support for SSLv3.

See the google security blog for more info on the bug: http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html.

Use the following command to check an IP or hostname:

<code bash>
echo | timeout 3 openssl s_client -connect HOSTNAMEORIPADDRESS:443 >/dev/null 2>&1; 
  if [[ $? != 0 ]]; then
    echo "UNKNOWN: HOSTNAMEORIPADDRESS timeout or connection error"; 
  else 
    echo | openssl s_client -connect HOSTNAMEORIPADDRESS:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: HOSTNAMEORIPADDRESS Not vulnerable" || echo "FAIL:  HOSTNAMEORIPADDRESS vulnerable; sslv3 connection accepted"; fi
</code>

<WRAP info>
**NOTE:**  Replace **HOSTNAMEORIPADDRESS** by the actual hostname or IP address.

</WRAP>

If you use SNI, add the **-servername sharewiz.net** option to the 2 OpenSSL commands, like so:

<code bash>
openssl s_client -servername snihostname.org -connect 172.16.30.5:443 -ssl    
</code>

----

===== Examples =====

**Non-vulnerable website:**

<code bash>
echo | timeout 3 openssl s_client -connect sharewiz.net:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: sharewiz.net timeout or connection error"; else echo | openssl s_client -connect sharewiz.net:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sharewiz.net Not vulnerable" || echo "FAIL:  sharewiz.net vulnerable; sslv3 connection accepted"; fi
</code>

result:

<code bash>
OK: sharewiz.net Not vulnerable
</code>

**Vulnerable site:**

<code bash>
echo | timeout 3 openssl s_client -connect sslv3-testhost.com:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: sslv3-testhost.com timeout or connection error"; else echo | openssl s_client -connect sslv3-testhost.com:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sslv3-testhost.com Not vulnerable" || echo "FAIL:  sslv3-testhost.com vulnerable; sslv3 connection accepted"; fi
</code>

result:

<code bash>
FAIL: sslv3-testhost.com vulnerable; sslv3 connection accepted
</code>


**Site without SSL:**

<code bash>
echo | timeout 3 openssl s_client -connect sharewiz.net:443 >/dev/null 2>&1; if [[ $? != 0 ]]; then echo "UNKNOWN: sharewiz.net timeout or connection error"; else echo | openssl s_client -connect sharewiz.net:443 -ssl3 2>&1 | grep -qo "sslv3 alert handshake failure\|SSL3_GET_RECORD:wrong version number" && echo "OK: sharewiz.net Not vulnerable" || echo "FAIL:  sharewiz.net vulnerable; sslv3 connection accepted"; fi
</code>

result:

<code bash>
UNKNOWN: sharewiz.net timeout or connection error
</code>

You can check other ports by changing 443 to any other valid port.