check for whether server still supports SSLv3 or not; it is important not to allow...

diff --git a/scripts/security/poodle_check.sh b/scripts/security/poodle_check.sh
new file mode 100644 (file)
index 0000000..b58eb13
--- /dev/null
+++ b/scripts/security/poodle_check.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+host="$1"; shift
+port="$1"; shift
+if [ -z "$port" ]; then
+  port=443
+fi
+
+if [ -z "$host" ]; then
+  echo "This test takes at least a hostname parameter for testing, and will also"
+  echo "accept an optional port parameter, e.g."
+  echo "  $(basename $0) garvey.edu 17001"
+  exit 1
+fi
+
+echo
+echo "about to try connecting; if this fails to stay connected, then you are not"
+echo "vulnerable to POODLE SSLv3 attack.  if it does connect, and you see the"
+echo "protocol SSLv3 listed, then the server at $host:$port"
+echo "is vulnerable to POODLE!"
+echo
+openssl s_client -ssl3 -host "$host" -port $port
+
+exit 0
+
+
+#could improve this by starting openssl connect in background 
+# and awaiting its exit.  if it doesn't exit in like 3 seconds,
+# then it probably connected.  at that point, print the error
+# message about vulnerability found, and show where the output
+# file from connect can be found for inspection.