SSL3 Volunerbility
SSL3 Volunerbility
Guys,
there is links on the internet showing Poodle Attacks on SSL v3 as shown on this link https://www.imperialviolet.org/2014/10/14/poodle.html also as well with https://technet.microsoft.com/en-us/lib ... 09008.aspx
How can i disable SSL v3 in EFA??
you guys should also disable it in your next update
there is links on the internet showing Poodle Attacks on SSL v3 as shown on this link https://www.imperialviolet.org/2014/10/14/poodle.html also as well with https://technet.microsoft.com/en-us/lib ... 09008.aspx
How can i disable SSL v3 in EFA??
you guys should also disable it in your next update
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
I agree!
To disable SSLv3 in EFA:
in /etc/httpd/conf.d/ssl.conf:
To disable SSLv3 in EFA:
in /etc/httpd/conf.d/ssl.conf:
Code: Select all
SSLProtocol all -SSLv2 -SSLv3
Code: Select all
sudo service httpd restart
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
This does not work, as Postfix is still allowing SSLv2 and SSLv3. I am trying to get PCI compliance and scans are failing.
I have worked through several articles including this http://askubuntu.com/questions/537196/h ... -2014-3566 but when I run openssl s_client -connect mail.domainname.co.uk:25 –ssl3 or openssl s_client -connect mail.domainname.co.uk:25 -ssl2 from an external server, they both still show as connected. If I stop the Postfix service then the above does not connect.
I think the reason is that it is not using 'mandatory SSL' mode. I don't know how to change this.
Any help or guidance on this would be much appreciated.
I have worked through several articles including this http://askubuntu.com/questions/537196/h ... -2014-3566 but when I run openssl s_client -connect mail.domainname.co.uk:25 –ssl3 or openssl s_client -connect mail.domainname.co.uk:25 -ssl2 from an external server, they both still show as connected. If I stop the Postfix service then the above does not connect.
I think the reason is that it is not using 'mandatory SSL' mode. I don't know how to change this.
Any help or guidance on this would be much appreciated.
Re: SSL3 Volunerbility
See https://disablessl3.com/#postfix
- Peder
Code: Select all
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
- Peder
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
@kommunen
I did exactly that in /etc/postfix/main.cf and restarted. It has made no difference. Is there somewhere else that this could be set?
I did exactly that in /etc/postfix/main.cf and restarted. It has made no difference. Is there somewhere else that this could be set?
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
Actually it is working...
A more accurate test requires that you use STARTTLS...
The first 2 should through an error and the third one will display a session ticket.
A more accurate test requires that you use STARTTLS...
Code: Select all
openssl s_client -starttls smtp -connect <yourhost>:25 -ssl2
openssl s_client -starttls smtp -connect <yourhost>:25 -ssl3
openssl s_client -starttls smtp -connect <yourhost>:25 -tls1
Re: SSL3 Volunerbility
Thanks for that additional information. When I saw CONNECTED I assumed it was still allowing connections. I am now seeing the following, could you confirm that this is what you would expect from the first two tests:
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 83 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171059
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl3
CONNECTED(00000003)
140329267877704:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171103
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
The third one is clearly connecting as it is showing certificate information.
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 83 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171059
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl3
CONNECTED(00000003)
140329267877704:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171103
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
The third one is clearly connecting as it is showing certificate information.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
Yes, the first two as you show them are failed connections.
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
This is another useful way to audit your EFA...
https://ssl-tools.net/mailservers
1) Plug in your domain near the top
2) Send an email to check@ssl-tools.net from your efa or through your efa.
You may see a certificate issue if your EFA is using the default self-signed cert instead of a trusted cert, but you should get a green check mark on protocol if all is well. DANE will probably show as missing for most.
https://ssl-tools.net/mailservers
1) Plug in your domain near the top
2) Send an email to check@ssl-tools.net from your efa or through your efa.
You may see a certificate issue if your EFA is using the default self-signed cert instead of a trusted cert, but you should get a green check mark on protocol if all is well. DANE will probably show as missing for most.
Re: SSL3 Volunerbility
Possible I could I get instructions to replace the cert? I have a wild card cert for my domain, in case that matters.
Thanks
Matt
Thanks
Matt
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: SSL3 Volunerbility
What type of file formats do you have for your wildcard (X.509, PEM, DER...?)