SSL3 Volunerbility

curibe · Post by **curibe** » 17 Oct 2014 14:50

Guys,

there is links on the internet showing Poodle Attacks on SSL v3 as shown on this link https://www.imperialviolet.org/2014/10/14/poodle.html also as well with https://technet.microsoft.com/en-us/lib ... 09008.aspx

How can i disable SSL v3 in EFA??

you guys should also disable it in your next update

Post by **shawniverson** » 17 Oct 2014 15:08

I agree!

To disable SSLv3 in EFA:

in /etc/httpd/conf.d/ssl.conf:

Code: Select all

SSLProtocol all -SSLv2 -SSLv3

Code: Select all

sudo service httpd restart

Post by **shawniverson** » 17 Oct 2014 15:24

https://github.com/E-F-A/v3/issues/139

colin · Post by **colin** » 16 Dec 2014 17:03

This does not work, as Postfix is still allowing SSLv2 and SSLv3. I am trying to get PCI compliance and scans are failing.

I have worked through several articles including this http://askubuntu.com/questions/537196/h ... -2014-3566 but when I run openssl s_client -connect mail.domainname.co.uk:25 –ssl3 or openssl s_client -connect mail.domainname.co.uk:25 -ssl2 from an external server, they both still show as connected. If I stop the Postfix service then the above does not connect.

I think the reason is that it is not using 'mandatory SSL' mode. I don't know how to change this.

Any help or guidance on this would be much appreciated.

kommunen · Post by **kommunen** » 05 Feb 2015 10:31

See https://disablessl3.com/#postfix

Code: Select all

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

- Peder

Post by **shawniverson** » 06 Feb 2015 16:58

https://github.com/E-F-A/v3/issues/149

colin · Post by **colin** » 16 Feb 2015 14:22

@kommunen

I did exactly that in /etc/postfix/main.cf and restarted. It has made no difference. Is there somewhere else that this could be set?

Post by **shawniverson** » 16 Feb 2015 21:53

Actually it is working...

A more accurate test requires that you use STARTTLS...

Code: Select all

openssl s_client -starttls smtp -connect <yourhost>:25 -ssl2
openssl s_client -starttls smtp -connect <yourhost>:25 -ssl3
openssl s_client -starttls smtp -connect <yourhost>:25 -tls1

The first 2 should through an error and the third one will display a session ticket.

colin · Post by **colin** » 17 Feb 2015 11:20

Thanks for that additional information. When I saw CONNECTED I assumed it was still allowing connections. I am now seeing the following, could you confirm that this is what you would expect from the first two tests:

[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 83 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171059
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl3
CONNECTED(00000003)
140329267877704:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171103
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

The third one is clearly connecting as it is showing certificate information.

Post by **shawniverson** » 18 Feb 2015 11:53

Yes, the first two as you show them are failed connections.

Post by **shawniverson** » 18 Feb 2015 12:08

This is another useful way to audit your EFA...

https://ssl-tools.net/mailservers

1) Plug in your domain near the top
2) Send an email to check@ssl-tools.net from your efa or through your efa.

You may see a certificate issue if your EFA is using the default self-signed cert instead of a trusted cert, but you should get a green check mark on protocol if all is well. DANE will probably show as missing for most.

mattdcox · Post by **mattdcox** » 19 Feb 2015 00:20

Possible I could I get instructions to replace the cert? I have a wild card cert for my domain, in case that matters.

Thanks
Matt

Post by **shawniverson** » 26 Feb 2015 02:46

What type of file formats do you have for your wildcard (X.509, PEM, DER...?)

efa-project.org

SSL3 Volunerbility

SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility

Re: SSL3 Volunerbility