POODLE

This is the Mailtraq Peer Support forum. Get assistance using and managing Mailtraq, and help others solve problems too.

POODLE

Postby jetkins » Wed Feb 18th, 2015 10:59am

Are there any plans in place to address the POODLE SSLv3 vulnerability (CVE-2014-3566)? As of Mailtraq Version 2.17.7.3516, I don't see any option to disable SSLv3 in favor of TLS.
jetkins
Expert User
 
Posts: 172
Joined: Sun Dec 04th, 2005 9:26pm
Location: Austin, TX

Re: POODLE

Postby Elric Pedder » Fri Feb 20th, 2015 1:59pm

Is this for HTTPS? There is an option on the HTTPS properties dialogue to use strong ciphers, which also disables SSL3. Does that help?
Mailtraq Development and Escalation Support
Novitraq Incorporated
User avatar
Elric Pedder
Mailtraq Escalation Support
 
Posts: 2675
Joined: Tue Nov 23rd, 2004 1:16pm
Location: Montreal, Canada

Re: POODLE

Postby jetkins » Wed Feb 25th, 2015 12:52am

Elric Pedder wrote:Is this for HTTPS? There is an option on the HTTPS properties dialogue to use strong ciphers, which also disables SSL3. Does that help?

Hi, Elric. Good to know that that option disables SSLv3 (though the help text in the dialog says it "allows SSL3 or greater"), but I'm also concerned about other protocols that can be SSL-enabled. I encrypt my SMTP and IMAP services as well, and openssl confirms that both protocols still support SSLv3 (and SSLv2):
Code: Select all
jon@ubuntu:~$ openssl s_client -connect xxxxx.xxxxx.net:465 -no_tls1
CONNECTED(00000003)
[...]
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3  <========================================
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: D27AC0CC6B1DE8F5AEA2659FEB69B8AFC76C2ED8F5A632B3FD857B22AFD1EEFE
    Session-ID-ctx:
    Master-Key: D9B6FA733D7A196916B0390016B0F6392A0A879DF187A2AD250CE2C01433416DD835F0EA21DE66298D754453F0D46297
    Key-Arg   : None
    Start Time: 1424839434
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 xxxxx.xxxxx.net Ready for action (Mailtraq 2.17.7.3516/ESMTP)
jetkins
Expert User
 
Posts: 172
Joined: Sun Dec 04th, 2005 9:26pm
Location: Austin, TX

Re: POODLE

Postby jetkins » Thu Mar 05th, 2015 4:46pm

It appears that these other ports are also vulnerable to FREAK as well, since they don't reject the old EXPORT ciphers. HTTPS is OK though.
jetkins
Expert User
 
Posts: 172
Joined: Sun Dec 04th, 2005 9:26pm
Location: Austin, TX

Re: POODLE

Postby jetkins » Fri Aug 19th, 2016 4:58am

Another year has gone by, I've upgraded to 3598, but IMAPS and SMTPS are still supporting SSLv3. TLS 1.1 and 1,2 are available, which is nice, but I still can't find any way to disable SSLv3 on these non-HTTP protocols. Any chance that we'll see this, or is there already a tweak that I'm missing?

Also, I note that although IMAPS and HTTPS only offer a handful of strong ciphers, SMTPS offers a whole raft of ciphers including some old 3DES. Any chance of getting that cleaned up?
jetkins
Expert User
 
Posts: 172
Joined: Sun Dec 04th, 2005 9:26pm
Location: Austin, TX

Re: POODLE

Postby Martin Clayton » Fri Aug 19th, 2016 8:26am

Hi jetkins
jetkins wrote:disable SSLv3 on these non-HTTP protocols

Afaik, there's only SSlStrong=1, set in config.cfg, to disable SSL3 by service (.3550+).
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK

Re: POODLE

Postby jetkins » Fri Aug 19th, 2016 10:07am

Martin Clayton wrote:Afaik, there's only SSlStrong=1, set in config.cfg, to disable SSL3 by service (.3550+).

Hi, Martin.

Brilliant, that was (almost) exactly what I needed - thanks! All secure services are now offering TLS1.2 only, with strong ciphers.

(I say "almost" because a search for 'config.cfg' came up blank, but searching for 'SslStrong' found the right KB article - turns out the file is called system.cfg. :) )
jetkins
Expert User
 
Posts: 172
Joined: Sun Dec 04th, 2005 9:26pm
Location: Austin, TX

Re: POODLE

Postby Martin Clayton » Fri Aug 19th, 2016 10:33am

jetkins wrote:the file is called system.cfg. :)

Ah, I knew something was amiss -- I first typed a somewhat backward "config.sys" (now I feel old). At least I didn't go with "autoexec.bat".

system.cfg
system.cfg ...

:)
User avatar
Martin Clayton
Expert User
 
Posts: 529
Joined: Sat Jan 15th, 2005 8:20am
Location: London, UK


Return to Mailtraq Support

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 4 guests

cron