efa-project.org

Guys,

there is links on the internet showing Poodle Attacks on SSL v3 as shown on this link https://www.imperialviolet.org/2014/10/14/poodle.html also as well with https://technet.microsoft.com/en-us/lib ... 09008.aspx

How can i disable SSL v3 in EFA??

you guys should also disable it in your next update

I agree!

To disable SSLv3 in EFA:

in /etc/httpd/conf.d/ssl.conf:

This does not work, as Postfix is still allowing SSLv2 and SSLv3. I am trying to get PCI compliance and scans are failing.

I have worked through several articles including this http://askubuntu.com/questions/537196/h ... -2014-3566 but when I run openssl s_client -connect mail.domainname.co.uk:25 –ssl3 or openssl s_client -connect mail.domainname.co.uk:25 -ssl2 from an external server, they both still show as connected. If I stop the Postfix service then the above does not connect.

I think the reason is that it is not using 'mandatory SSL' mode. I don't know how to change this.

Any help or guidance on this would be much appreciated.

See https://disablessl3.com/#postfix

- Peder

@kommunen

I did exactly that in /etc/postfix/main.cf and restarted. It has made no difference. Is there somewhere else that this could be set?

Actually it is working...

A more accurate test requires that you use STARTTLS...
The first 2 should through an error and the third one will display a session ticket.

Thanks for that additional information. When I saw CONNECTED I assumed it was still allowing connections. I am now seeing the following, could you confirm that this is what you would expect from the first two tests:

[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 83 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171059
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@mailprotect ~]# openssl s_client -starttls smtp -connect mail.domain.co.uk:25 -ssl3
CONNECTED(00000003)
140329267877704:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 289 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1424171103
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---

The third one is clearly connecting as it is showing certificate information.

Yes, the first two as you show them are failed connections.

This is another useful way to audit your EFA...

https://ssl-tools.net/mailservers

1) Plug in your domain near the top
2) Send an email to check@ssl-tools.net from your efa or through your efa.

You may see a certificate issue if your EFA is using the default self-signed cert instead of a trusted cert, but you should get a green check mark on protocol if all is well. DANE will probably show as missing for most.

Possible I could I get instructions to replace the cert? I have a wild card cert for my domain, in case that matters.

Thanks
Matt

What type of file formats do you have for your wildcard (X.509, PEM, DER...?)