[BlueOnyx:16181] Re: SSL v3 POODLE vulnerability
Michael Stauber
mstauber at blueonyx.it
Tue Oct 14 21:54:27 -05 2014
Hi all,
> I'll do some more digging and will eventually push an update that
> disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give
> it a few days as I want to do some more digging.
I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R,
5108R, 5208R). In order to disable SSLv3 entirely the following needs to
be done:
ProFTPd:
========
/etc/proftpd.conf
Change ...
TLSProtocol SSLv3 TLSv1
... to ...
TLSProtocol TLSv1
/sbin/service xinetd restart
I'll eventually build an updated proftpd and publish it to the YUM
repositories.
Apache:
========
Pretty straightforward:
In /usr/sausalito/handlers/base/apache/virtual_host.pl:
Change ...
SSLProtocol +ALL -SSLv2
... to...
SSLProtocol +ALL -SSLv3 -SSLv2
Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL
enabled to inherit the new configuration.
Dovecot:
========
This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided
by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this
Dovecot doesn't. It's simply to old for that. I tried to force it to not
use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by
my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via
SSLv3, for which this Dovecot then no longer has ciphers.
Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a
the time of this writing). Which supposedly supports TLSv1.2 and Perfect
Forwarding Secrecy.
Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx
YUM repositories to provide updates for it. Which is right now handled
by upstream OS updates.
Sendmail:
========
I'm not sure if I want to mess with its ciphers and protocols, as it
kinda works pretty well as is.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list