From 7fff225444f15fe05d1b899881e5201b9e413fac Mon Sep 17 00:00:00 2001
From: Chris Koeritz <fred@gruntose.com>
Date: Tue, 21 Oct 2014 20:00:25 -0400
Subject: [PATCH] check for whether server still supports SSLv3 or not; it is
 important not to allow SSLv3 now due to POODLE vulnerability.  script could
 be improved a bit.

---
 scripts/security/poodle_check.sh | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 scripts/security/poodle_check.sh

diff --git a/scripts/security/poodle_check.sh b/scripts/security/poodle_check.sh
new file mode 100644
index 00000000..b58eb133
--- /dev/null
+++ b/scripts/security/poodle_check.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+host="$1"; shift
+port="$1"; shift
+if [ -z "$port" ]; then
+  port=443
+fi
+
+if [ -z "$host" ]; then
+  echo "This test takes at least a hostname parameter for testing, and will also"
+  echo "accept an optional port parameter, e.g."
+  echo "  $(basename $0) garvey.edu 17001"
+  exit 1
+fi
+
+echo
+echo "about to try connecting; if this fails to stay connected, then you are not"
+echo "vulnerable to POODLE SSLv3 attack.  if it does connect, and you see the"
+echo "protocol SSLv3 listed, then the server at $host:$port"
+echo "is vulnerable to POODLE!"
+echo
+openssl s_client -ssl3 -host "$host" -port $port
+
+exit 0
+
+
+#could improve this by starting openssl connect in background 
+# and awaiting its exit.  if it doesn't exit in like 3 seconds,
+# then it probably connected.  at that point, print the error
+# message about vulnerability found, and show where the output
+# file from connect can be found for inspection.
-- 
2.34.1