[BlueOnyx:16212] Re: SSL v3 POODLE vulnerability
Dirk Estenfeld
dirk.estenfeld at bpanet.de
Fri Oct 17 10:51:14 -05 2014
Hello,
modify line 138 in file /etc/httpd/conf.d/ssl_perl.conf and restart apache for the VSites.
And modify line 46 in file /etc/admserv/conf.d/ssl.conf for admserv. Restart admserv after change.
Best regards,
Dirk
Black Point Arts Internet Solutions GmbH - Hanauer Landstrasse 423a - 60314 Frankfurt
Von: blueonyx-bounces at mail.blueonyx.it [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Matt James
Gesendet: Freitag, 17. Oktober 2014 14:53
An: BlueOnyx General Mailing List
Betreff: [BlueOnyx:16211] Re: SSL v3 POODLE vulnerability
Hi Michael,
Thanks for the great instructions! We really appreciate how on top of this you are.
I was able to shut off SSL3 for ProFTPd no problem, but my work to turn it off for Apache came up short. I'm running a 5107R and was unable to find the "SSLProtocol +ALL -SSLv2" reference in /usr/sausalito/handlers/base/apache/virtual_host.pl. I did a search for "SSL" looking for similar lines and found only unrelated strings. Can you confirm that this is the file to edit for a 5107R?
Thanks!
--
Matt James
RainStorm, Inc<http://rainstorminc.com>
(207) 866-3908 x54
On Oct 14, 2014, at 10:54 PM, Michael Stauber <mstauber at blueonyx.it<mailto:mstauber at blueonyx.it>> wrote:
Hi all,
I'll do some more digging and will eventually push an update that
disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give
it a few days as I want to do some more digging.
I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R,
5108R, 5208R). In order to disable SSLv3 entirely the following needs to
be done:
ProFTPd:
========
/etc/proftpd.conf
Change ...
TLSProtocol SSLv3 TLSv1
... to ...
TLSProtocol TLSv1
/sbin/service xinetd restart
I'll eventually build an updated proftpd and publish it to the YUM
repositories.
Apache:
========
Pretty straightforward:
In /usr/sausalito/handlers/base/apache/virtual_host.pl:
Change ...
SSLProtocol +ALL -SSLv2
... to...
SSLProtocol +ALL -SSLv3 -SSLv2
Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL
enabled to inherit the new configuration.
Dovecot:
========
This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided
by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this
Dovecot doesn't. It's simply to old for that. I tried to force it to not
use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by
my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via
SSLv3, for which this Dovecot then no longer has ciphers.
Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a
the time of this writing). Which supposedly supports TLSv1.2 and Perfect
Forwarding Secrecy.
Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx
YUM repositories to provide updates for it. Which is right now handled
by upstream OS updates.
Sendmail:
========
I'm not sure if I want to mess with its ciphers and protocols, as it
kinda works pretty well as is.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it<mailto:Blueonyx at mail.blueonyx.it>
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141017/7ec9d164/attachment.html>
More information about the Blueonyx
mailing list