The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack
takes advantage of a vulnerability in Secure Socket Layer (SSL)
version 3.0. The POODLE attack can be used against any system or
application that supports SSL version 3.0 with cipher-block chaining
(CBC) mode ciphers. There is currently no fix for the vulnerability in
SSL version 3.0 itself as the issue is fundamental to the protocol.
It is recommended that all SSL version 3.0 users convert to TLS.
The POODLE attack can also be used against TLS by forcing a downgrade
to SSL 3.0 in the TLS handshake. TN3270 Plus does not request or
accept a downgrade from TLS to SSL 3.0 in the TLS handshake, so a TN3270 Plus
TLS encryption selection cannot be compromised by trying to force a
downgrade to SSL 3.0.
More information about the POODLE Vulnerability can be found on the
following web sites.
Since this vulnerability is inherent it the SSL version 3.0 protocol
it affects all TN3270 Plus systems that use SSLv3.
The TN3270 Plus Release 3.7.4 and 3.7.5 SSL feature includes support for SSL
Version 2, SSL Version 3, TLS version 1, TLS version 1.1 and TLS
The TN3270 Plus Release 4.0.0 and above SSL feature includes support for
TLS version 1, TLS version 1.1 and TLS version 1.2 (SSLv2 and SSLv3
have been removed due to inherent security vulnerabilities.)
Recommendations for TN3270 Plus Users
If you are using SSL version 2.0 or SSL version 3.0, convert to
TLS version 1, 1.1 or 1.2 (Setup, Security, Encryption Protocol = TLSv1,
TLSv1.1 or TLSv1.2)
. This may require an update to software on the host computer to
support TLS. TLS versions 1.1 and 1.2 are supported in TN3270 Plus
release 3.7.4 and 3.7.5.
If you must use SSL because the host computer does not support
TLS, we recommend you use a cipher that does not use cipher-block
chaining (CBC) mode. You can use the TN3270 Plus Cipher Selection
dialog box (Setup, Security, Ciphers button, "Remove all CBC
ciphers" button) to remove all CBC mode ciphers from the Selected
Ciphers list. As long as the host computer supports one of the
remaining ciphers you will be able to create an SSL connection. Cipher
Selection for SSLv3 is included in TN3270 Plus release 3.7.4 and
Plus 4.0.0 and above do not support SSLv2 and SSLv3.