Koozali.org: home of the SME Server
Obsolete Releases => SME Server 8.x => Topic started by: holck on October 16, 2014, 02:01:48 PM
-
Redhat and others have drawn attention to a vulnerability ("Poodle") with SSL v. 3 https://access.redhat.com/articles/1232123 (https://access.redhat.com/articles/1232123), ans as far as I can see, this is relevant for SME server 8.x also. The proposed resolution is to disable httpd's use of SSL v. 3.
You can use this site to test if you are affected: https://ssltools.geotrust.com/checker/views/certCheck.jsp (https://ssltools.geotrust.com/checker/views/certCheck.jsp)
Jesper, Denmark
-
Here is a proposed resolution:
Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
{
# Specify which SSL Protocols to accept for this context
$OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}
And then do
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith
-
Please open a bug so we can take a look at this
-
Here is a proposed resolution:
Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
{
# Specify which SSL Protocols to accept for this context
$OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}
And then do
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith
Testing at https://www.ssllabs.com/ssltest/index.html before and after applying holck's fix confirms that my 8.1 server was vulnerable to POODLE beforehand but is not afterwards.
-
http://bugs.contribs.org/show_bug.cgi?id=8603
-
Here is a proposed resolution:
That's not a proposed resolution. That's a proposed temporary workaround. The resolution is to make a change in the software.
Thanks
-
To put this issue in proportion, please read the "is only a poodle" section of this document:
http://www.theregister.co.uk/2014/10/16/poodle_analysis/