Koozali.org: home of the SME Server

Obsolete Releases => SME Server 8.x => Topic started by: holck on October 16, 2014, 02:01:48 PM

Title: "Poodle" vulnerability with SSL v. 3
Post by: holck on October 16, 2014, 02:01:48 PM
Redhat and others have drawn attention to a vulnerability ("Poodle") with SSL v. 3 https://access.redhat.com/articles/1232123 (https://access.redhat.com/articles/1232123), ans as far as I can see, this is relevant for SME server 8.x also. The proposed resolution is to disable httpd's use of SSL v. 3.

You can use this site to test if you are affected: https://ssltools.geotrust.com/checker/views/certCheck.jsp (https://ssltools.geotrust.com/checker/views/certCheck.jsp)

Jesper, Denmark
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: holck on October 16, 2014, 02:26:53 PM
Here is a proposed resolution:

Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
Code: [Select]
{
    # Specify which SSL Protocols to accept for this context
    $OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}

And then do
Code: [Select]
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: Daniel B. on October 16, 2014, 02:42:28 PM
Please open a bug so we can take a look at this
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: mmccarn on October 16, 2014, 03:18:05 PM
Here is a proposed resolution:

Create a new file
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
with the following contents
Code: [Select]
{
    # Specify which SSL Protocols to accept for this context
    $OUT .= "SSLProtocol all -SSLv2 -SSLv3"
}

And then do
Code: [Select]
# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
# sv restart httpd-e-smith

Testing at https://www.ssllabs.com/ssltest/index.html before and after applying holck's fix confirms that my 8.1 server was vulnerable to POODLE beforehand but is not afterwards.
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: guest22 on October 16, 2014, 09:08:43 PM
http://bugs.contribs.org/show_bug.cgi?id=8603
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: CharlieBrady on October 17, 2014, 03:38:27 PM
Here is a proposed resolution:

That's not a proposed resolution. That's a proposed temporary workaround. The resolution is to make a change in the software.

Thanks
Title: Re: "Poodle" vulnerability with SSL v. 3
Post by: CharlieBrady on October 17, 2014, 03:55:23 PM
To put this issue in proportion, please read the "is only a poodle" section of this document:

http://www.theregister.co.uk/2014/10/16/poodle_analysis/