Poodle and curl

I recently secured a server that was still susceptible to the Poodle vulnerability, which involved configuring Apache to no longer accept SSLv3 connections. However, after several hours, I noticed that a cron job that normally refreshes the contents of the client’s database via a curl command line call every half hour didn’t appear to be running anymore.

This is the command that was being fired off every half hour (URL changed to protect the innocent 🙂 ):

curl -L -s --user-agent 'Database Refresh Cron' 'https://serverhostname/db/?refresh'

Additionally, the requests stopped being logged in Apache’s logs at around the same time that I updated Apache’s configuration against the Poodle vulnerability. Curious about this, I ran the curl command manually and got this somewhat esoteric error message:

curl: (35) Unknown SSL protocol error in connection to serverhostname:443

Turns out, the server’s curl command was defaulting to attempting to connect using SSLv3, which had been disabled on the server. Fortunately, the fix turned out to be simple:

curl -L -s --tlsv1 --user-agent 'Database Refresh Cron' 'https://serverhostname/db/?refresh'

This threw me for a loop so hopefully this tip helps someone out there!

 

Reboot

Retro can be pretty cool, but this was actually pretty sad. That’s a screenshot of our website dating back to 2002 (!), which has finally been replaced with a cleaner, more modern version you are seeing now. Never mind HTML5, responsive design, or embeddable fonts — our original site used tables for layout, query string parameters for language-handling, and a long outdated template engine. In fact, the original project dated back so long that CVS was used internally for source control up until a few years ago, when we finally migrated it, kicking and screaming, into Subversion, and then to Git last year.

Our new site isn’t exactly state of the art, but it’s modern, mobile-friendly, and quick-loading. I’m hopeful our next update won’t have to wait another 12 years…