[BlueOnyx:16240] Re: SSL v3 POODLE vulnerability
Matt James
matt at rainstorminc.com
Fri Oct 17 12:12:08 -05 2014
Dirk,
Terrific - thank you!
--
Matt James
RainStorm, Inc
(207) 866-3908 x54
On Oct 17, 2014, at 11:51 AM, Dirk Estenfeld <dirk.estenfeld at bpanet.de> wrote:
> Hello,
>
> modify line 138 in file /etc/httpd/conf.d/ssl_perl.conf and restart apache for the VSites.
> And modify line 46 in file /etc/admserv/conf.d/ssl.conf for admserv. Restart admserv after change.
>
> Best regards,
> Dirk
>
>
> Black Point Arts Internet Solutions GmbH - Hanauer Landstrasse 423a - 60314 Frankfurt
>
>
>
>
> Von: blueonyx-bounces at mail.blueonyx.it [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Matt James
> Gesendet: Freitag, 17. Oktober 2014 14:53
> An: BlueOnyx General Mailing List
> Betreff: [BlueOnyx:16211] Re: SSL v3 POODLE vulnerability
>
> Hi Michael,
>
> Thanks for the great instructions! We really appreciate how on top of this you are.
>
> I was able to shut off SSL3 for ProFTPd no problem, but my work to turn it off for Apache came up short. I'm running a 5107R and was unable to find the "SSLProtocol +ALL -SSLv2" reference in /usr/sausalito/handlers/base/apache/virtual_host.pl. I did a search for "SSL" looking for similar lines and found only unrelated strings. Can you confirm that this is the file to edit for a 5107R?
>
> Thanks!
>
> --
> Matt James
> RainStorm, Inc
> (207) 866-3908 x54
>
> On Oct 14, 2014, at 10:54 PM, Michael Stauber <mstauber at blueonyx.it> wrote:
>
>
> Hi all,
>
>
> I'll do some more digging and will eventually push an update that
> disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give
> it a few days as I want to do some more digging.
>
> I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R,
> 5108R, 5208R). In order to disable SSLv3 entirely the following needs to
> be done:
>
> ProFTPd:
> ========
>
> /etc/proftpd.conf
> Change ...
> TLSProtocol SSLv3 TLSv1
> ... to ...
> TLSProtocol TLSv1
> /sbin/service xinetd restart
>
> I'll eventually build an updated proftpd and publish it to the YUM
> repositories.
>
> Apache:
> ========
>
> Pretty straightforward:
>
> In /usr/sausalito/handlers/base/apache/virtual_host.pl:
> Change ...
> SSLProtocol +ALL -SSLv2
> ... to...
> SSLProtocol +ALL -SSLv3 -SSLv2
> Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL
> enabled to inherit the new configuration.
>
> Dovecot:
> ========
>
> This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided
> by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this
> Dovecot doesn't. It's simply to old for that. I tried to force it to not
> use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by
> my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via
> SSLv3, for which this Dovecot then no longer has ciphers.
>
> Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a
> the time of this writing). Which supposedly supports TLSv1.2 and Perfect
> Forwarding Secrecy.
>
> Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx
> YUM repositories to provide updates for it. Which is right now handled
> by upstream OS updates.
>
> Sendmail:
> ========
>
> I'm not sure if I want to mess with its ciphers and protocols, as it
> kinda works pretty well as is.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141017/fc0cb2f6/attachment.html>
More information about the Blueonyx
mailing list