<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Hi Michael,<div><br></div><div>Thanks for the great instructions! We really appreciate how on top of this you are.</div><div><br></div><div>I was able to shut off SSL3 for ProFTPd no problem, but my work to turn it off for Apache came up short. I'm running a 5107R and was unable to find the "SSLProtocol +ALL -SSLv2" reference in /usr/sausalito/handlers/base/apache/virtual_host.pl. I did a search for "SSL" looking for similar lines and found only unrelated strings. Can you confirm that this is the file to edit for a 5107R?</div><div><br></div><div>Thanks!</div><div><br><div>
<div style="orphans: 2; widows: 2;">--</div><div style="orphans: 2; widows: 2;"><b>Matt James</b></div><div style="orphans: 2; widows: 2;"><a href="http://rainstorminc.com">RainStorm, Inc</a></div><div style="orphans: 2; widows: 2;">(207) 866-3908 x54</div>
</div>
<br><div><div>On Oct 14, 2014, at 10:54 PM, Michael Stauber <<a href="mailto:mstauber@blueonyx.it">mstauber@blueonyx.it</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi all,<br><br><blockquote type="cite">I'll do some more digging and will eventually push an update that<br>disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give<br>it a few days as I want to do some more digging.<br></blockquote><br>I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R,<br>5108R, 5208R). In order to disable SSLv3 entirely the following needs to<br>be done:<br><br>ProFTPd:<br>========<br><br>/etc/proftpd.conf<br>Change ...<br> TLSProtocol SSLv3 TLSv1<br>... to ...<br> TLSProtocol TLSv1<br>/sbin/service xinetd restart<br><br>I'll eventually build an updated proftpd and publish it to the YUM<br>repositories.<br><br>Apache:<br>========<br><br>Pretty straightforward:<br><br>In /usr/sausalito/handlers/base/apache/virtual_host.pl:<br>Change ...<br>SSLProtocol +ALL -SSLv2<br>... to...<br>SSLProtocol +ALL -SSLv3 -SSLv2<br>Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL<br>enabled to inherit the new configuration.<br><br>Dovecot:<br>========<br><br>This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided<br>by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this<br>Dovecot doesn't. It's simply to old for that. I tried to force it to not<br>use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by<br>my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via<br>SSLv3, for which this Dovecot then no longer has ciphers.<br><br>Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a<br>the time of this writing). Which supposedly supports TLSv1.2 and Perfect<br>Forwarding Secrecy.<br><br>Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx<br>YUM repositories to provide updates for it. Which is right now handled<br>by upstream OS updates.<br><br>Sendmail:<br>========<br><br>I'm not sure if I want to mess with its ciphers and protocols, as it<br>kinda works pretty well as is.<br><br>-- <br>With best regards<br><br>Michael Stauber<br>_______________________________________________<br>Blueonyx mailing list<br><a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a><br>http://mail.blueonyx.it/mailman/listinfo/blueonyx<br></blockquote></div><br></div></body></html>