As vulnerabilities go, the recent POODLE vulnerability’s growl is worse than its bite, much like the namesake dog breed. POODLE (Padding Oracle on Downgraded Legacy Encryption) is a “man in the middle” exploit affecting the SSLv3 protocol.
The gist of our response is that we have disabled support for SSLv3 on our clusters’ HTTP servers. The front-end proxies were updated yesterday to only accept TLS when using HTTPS endpoints. SSLv3 is an older protocol, and browser makers have already started removing support for it. We guessed that a tiny fraction — if any — of our customers were using this protocol, although we do not have a good way of verifying. Nevertheless, if your application server uses SSLv3 to communicate with your Qbox endpoint, you could be affected.
If you notice HTTPS communication with your cluster failing, you’ll probably see an error similar to “sslv3 handshake failure.” If this is the case, we apologize for the inconvenience, but security is our highest priority following a vulnerability disclosure. The fix is simple: just switch your client over to using TLS.
(Photo courtesy of Enemy Walrus on Flickr. Some rights reserved)