[BlueOnyx:16304] Re: Yum Updates: vs. SSLv3 "Pootle" Vulnerability

Dirk Estenfeld dirk.estenfeld at bpanet.de
Thu Oct 30 05:14:34 -05 2014 

Hello,

this was not all. Now I have the solution. Reinstall is not neccessary.

With the new proftpd Version it is possible to add a configuration file in the /etc/xinet.d proftpd files.
Duplicate the /etc/proftpd.conf. Disable tls in your copy.
Now add the copied proftpd.conf file (with tls disabled) in the xinet.d/proftpd file and restart xinetd

Now you have one configuration for unencrypted ftp and one for tls.

Regards
Dirk

----------------------

Black Point Arts Internet Solutions GmbH
Hanauer Landstraße 423a
60314 Frankfurt am Main
Tel. 069 95218131
Fax 069 95218141
E-Mail dirk.estenfeld at bpanet.de<mailto:dirk.estenfeld at bpanet.de>
www.bpanet.de<http://www.bpanet.de>

Am 30.10.2014 um 10:23 schrieb Dirk Estenfeld <dirk.estenfeld at bpanet.de<mailto:dirk.estenfeld at bpanet.de>>:

Hello,

I think I have the fix for the ftp issue.

yum reinstall proftpd
service xinetd restart

Worked for two servers. We will now try it for all servers.

Best regards,
Dirk

----------------------

Black Point Arts Internet Solutions GmbH
Hanauer Landstraße 423a
60314 Frankfurt am Main
Tel. 069 95218131
Fax 069 95218141
E-Mail dirk.estenfeld at bpanet.de<mailto:dirk.estenfeld at bpanet.de>
www.bpanet.de<http://www.bpanet.de>

Am 30.10.2014 um 05:57 schrieb webmaster <webmaster at oldcabin.net<mailto:webmaster at oldcabin.net>>:



Ran the update on  my 5108R and now can't connect via ftp.

Server GUI is showing red light


Tried this
[root at cabin2 admin]# /etc/rc.d/init.d/proftpd start
Get this
Starting proftpd:                                          [FAILED]

Help!



5207R Updated fine.
No issues!
No FTP problems





Hi all,

I wish I could have done this sooner, but last week I was on a holiday.
The work was pretty complex, but is finally done:

The following YUM updates have just been published for BlueOnyx 5106R,
5107R, 5108R, 5207R and 5208R:

base-admserv-*
base-apache-*
base-email-*
dovecot-2.2.15-1BX01
proftpd-1.3.5-1BX1

They deal with the recently announced Pootle SSLv3 vulnerability and
turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP
and FTP.

Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R
it supports only TLSv1.0, as the underlying OpenSSL is too old. On all
other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.

ProFTPD was also updated to the latest version (v1.3.5), which
(finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as
before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient
OpenSSL version that ships with CentOS5.

Caveats:
========

This is a somewhat massive and intrusive update. Especially so on 5106R,
where we went from Dovecot 1.1.X straight to the latest available
version. When Dovecot gets updated, it will need to recalculate the
2048bit Diffie-Hellman ciphers. This can easily take several minutes,
during which the polling of emails via IMAPS or POP3S is not possible.
Please wait for it to finish. If you restart Dovecot during that period,
it will recalculate the DH-ciphers again until it finally completes it.
After that it will accept TLS connections just fine without a restart of
the service.

As SSLv3 is now turned off for all services you might get the odd call
from clients who are no longer able to connect to secure POP3, secure
IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they
will be using Windows XP with some really old browsers (like IE6) or an
ancient Outlook or similar, which don't support even TLSv1.0 and fall
back to the compromised SSLv3 protocol, which we just disabled entirely.

Unless they upgrade they are out of luck. Windows XP is end of life and
we will no longer cripple the security of our OS to accommodate them.

If you get such a report from a client that is *not* using Windows XP,
please ask them to update their email client or browser or FTP client to
the latest version and to check the connection settings. They might have
to change their account settings to use TLS instead of SSLv3.

If you have problems with this updates, then please report them via the
BlueOnyx General Mailing List by replying to this message.



_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it<mailto:Blueonyx at mail.blueonyx.it>
http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it<mailto:Blueonyx at mail.blueonyx.it>
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20141030/6f6e0c36/attachment.html>

More information about the Blueonyx mailing list