<div dir="ltr"><div>Hi!</div><div>I can confirm that the FTP server is down on both 5106R and 5107R(OpenVZ) systems after updates.</div><div>To be accurate: plain ftp is down, implicit ftp over TLS was working.</div><div><br></div><div>For those who really need plain ftp asap:</div><div>Disable TLS in /etc/proftpd.conf:</div><div># TLS</div><div><IfModule mod_tls.c></div><div> TLSEngine off</div><div>/* snip */</div><div><br></div><div>Reload and restart the xinetd service:</div><div>service xinetd reload</div><div>service xinetd restart</div><div><br></div><div><br></div><div class="gmail_extra"><div class="gmail_quote">On Thu, Oct 30, 2014 at 3:45 AM, Michael Stauber <span dir="ltr"><<a href="mailto:mstauber@blueonyx.it" target="_blank">mstauber@blueonyx.it</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I wish I could have done this sooner, but last week I was on a holiday.<br>
The work was pretty complex, but is finally done:<br>
<br>
The following YUM updates have just been published for BlueOnyx 5106R,<br>
5107R, 5108R, 5207R and 5208R:<br>
<br>
base-admserv-*<br>
base-apache-*<br>
base-email-*<br>
dovecot-2.2.15-1BX01<br>
proftpd-1.3.5-1BX1<br>
<br>
They deal with the recently announced Pootle SSLv3 vulnerability and<br>
turn off SSLv3 support for the services AdmServ (GUI), Apache, POP3/IMAP<br>
and FTP.<br>
<br>
Dovecot was updated to version 2.2.15 on all BlueOnyx versions. On 5106R<br>
it supports only TLSv1.0, as the underlying OpenSSL is too old. On all<br>
other BlueOnyx versions it supports TLSv1.2, TLSv1.1 and TLSv1.0.<br>
<br>
ProFTPD was also updated to the latest version (v1.3.5), which<br>
(finally!) handles TLSv1.2 as well as TLSv1.1 and TLSv1.0. But as<br>
before: On BlueOnyx 5106R only TLSv1.0 is available due to the ancient<br>
OpenSSL version that ships with CentOS5.<br>
<br>
Caveats:<br>
========<br>
<br>
This is a somewhat massive and intrusive update. Especially so on 5106R,<br>
where we went from Dovecot 1.1.X straight to the latest available<br>
version. When Dovecot gets updated, it will need to recalculate the<br>
2048bit Diffie-Hellman ciphers. This can easily take several minutes,<br>
during which the polling of emails via IMAPS or POP3S is not possible.<br>
Please wait for it to finish. If you restart Dovecot during that period,<br>
it will recalculate the DH-ciphers again until it finally completes it.<br>
After that it will accept TLS connections just fine without a restart of<br>
the service.<br>
<br>
As SSLv3 is now turned off for all services you might get the odd call<br>
from clients who are no longer able to connect to secure POP3, secure<br>
IMAP, secure FTP or maybe even to a webpage via HTTPS. Most likely they<br>
will be using Windows XP with some really old browsers (like IE6) or an<br>
ancient Outlook or similar, which don't support even TLSv1.0 and fall<br>
back to the compromised SSLv3 protocol, which we just disabled entirely.<br>
<br>
Unless they upgrade they are out of luck. Windows XP is end of life and<br>
we will no longer cripple the security of our OS to accommodate them.<br>
<br>
If you get such a report from a client that is *not* using Windows XP,<br>
please ask them to update their email client or browser or FTP client to<br>
the latest version and to check the connection settings. They might have<br>
to change their account settings to use TLS instead of SSLv3.<br>
<br>
If you have problems with this updates, then please report them via the<br>
BlueOnyx General Mailing List by replying to this message.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
With best regards<br>
<br>
Michael Stauber<br>
_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@mail.blueonyx.it">Blueonyx@mail.blueonyx.it</a><br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
</font></span></blockquote></div><br></div></div>