We recently pushed a GPO to clients to disable SSLV3, enforcing TLS. We also made a change on the Gateway to disable SSLV3.
We have had a number of sites that do not support TLS so have had to put bypasses into the gateway for these websites, allowing client and remote webserver to negotiate a SSLV3 connection (corresponding exception in GPO for those clients).
The content-gateway does not behave like the client, and if TLS1.X fails, and site does not have secure-renogiation enabled, it stops. It does not then try to connect with a stepped-down version of TLS.
As our exceptions for SSLV3 sites builds up, I'm curious what other users (especially those with both content-gateway and Hybrid products in-use) are doing to effectively manage this.
Chrome and Firefox says support for SSLV3 will be disabled in near-future, and IE does not have a time-commitment specified.
Given the majority of our users are laptop users and mobile, the use of public-hot-spots is a concern with regards to MITM-attacks.
Websense states making a secure-negotiation would require a rewrite in the product so we appear stuck in a messy situation. It seems that if the hybrid service or gateway could identify a TLS1.2 negotiation failure, and do essentially a retry using TLS1.2 (for example), this would fix some of the issues and make the service behave more like a client that retries.
Curious what other shops have done regarding this Poodle vulnerability and general SSL-Decryption functionality - any info much appreciated!
1. Have you disabled SSLV3 on your gateway?
2. Have you disabled SSLV3 on your clients?
3. Are you busy adding bypasses for sites?
4. If you use the Websense Hybrid service, do you have SSL decryption enabled? If so, what has been the user experience? Are there any pain points, and how much work is created to troubleshoot web site access or add exceptions?