[BlueOnyx:16287] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

Dirk Estenfeld dirk.estenfeld at bpanet.de
Thu Oct 30 00:26:39 -05 2014 

Michael,

now _all_ of our BO Server do not accept ftp any longer :(

Please asap check and fix this issue ...

Thank you and regards,
Dirk


-----------------------------------------------
Black Point Arts Internet Solutions GmbH - Hanauer Landstrasse 423a - 60314 Frankfurt


-----Ursprüngliche Nachricht-----
Von: blueonyx-bounces at mail.blueonyx.it [mailto:blueonyx-bounces at mail.blueonyx.it] Im Auftrag von Michael Stauber
Gesendet: Donnerstag, 30. Oktober 2014 03:45
An: BlueOnyx General Mailing List
Betreff: [BlueOnyx:16284] Yum Updates: vs. SSLv3 "Pootle" Vulnerability

Hi all,

I wish I could have done this sooner, but last week I was on a holiday.
The work was pretty complex, but is finally done:

The following YUM updates have just been published for BlueOnyx 5106R,
5107R, 5108R, 5207R and 5208R:

base-admserv-*
base-apache-*
base-email-*
dovecot-2.2.15-1BX01
proftpd-1.3.5-1BX1

They deal with the recently announced Pootle SSLv3 vulnerability and
turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
and FTP.

Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.

ProFTPD was also updated to the latest version (v1.3.5), which
(finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
OpenSSL version that ships with CentOS5.

Caveats:
========

This is a somewhat massive and intrusive update. Especially so on 5106R,
where we went from Dovecot 1.1.X straight to the latest available
version. When Dovecot gets updated, it will need to recalculate the
2048bit Diffie-Hellman ciphers. This can easily take several minutes,
during which the polling of emails via IMAPS or POP3S is not possible.
Please wait for it to finish. If you restart Dovecot during that period,
it will recalculate the DH-ciphers again until it finally completes it.
After that it will accept TLS connections just fine without a restart of
the service.

As SSLv3 is now turned off for all services you might get the odd call
from clients who are no longer able to connect to secure POP3, secure
IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
will be using Windows XP with some really old browsers (like IE6) or an
ancient Outlook or similar, which don't support even TLSv1.0 and fall
back to the compromised SSLv3 protocol, which we just disabled entirely.

Unless they upgrade they are out of luck. Windows XP is end of life and
we will no longer cripple the security of our OS to accommodate them.

If you get such a report from a client that is *not* using Windows XP,
please ask them to update their email client or browser or FTP client to
the latest version and to check the connection settings. They might have
to change their account settings to use TLS instead of SSLv3.

If you have problems with this updates, then please report them via the
BlueOnyx General Mailing List by replying to this message.

-- 
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list