Hello,

modify line 138 in file /etc/httpd/conf.d/ssl_perl.conf and restart apache for 
the VSites.
And modify line 46 in file /etc/admserv/conf.d/ssl.conf for admserv. Restart 
admserv after change.

Best regards,
Dirk


Black Point Arts Internet Solutions GmbH - Hanauer Landstrasse 423a - 60314 
Frankfurt



Von: blueonyx-boun...@mail.blueonyx.it 
[mailto:blueonyx-boun...@mail.blueonyx.it] Im Auftrag von Matt James
Gesendet: Freitag, 17. Oktober 2014 14:53
An: BlueOnyx General Mailing List
Betreff: [BlueOnyx:16211] Re: SSL v3 POODLE vulnerability

Hi Michael,

Thanks for the great instructions!  We really appreciate how on top of this you 
are.

I was able to shut off SSL3 for ProFTPd no problem, but my work to turn it off 
for Apache came up short.  I'm running a 5107R and was unable to find the 
"SSLProtocol +ALL -SSLv2" reference in 
/usr/sausalito/handlers/base/apache/virtual_host.pl.  I did a search for "SSL" 
looking for similar lines and found only unrelated strings.  Can you confirm 
that this is the file to edit for a 5107R?

Thanks!

--
Matt James
RainStorm, Inc<http://rainstorminc.com>
(207) 866-3908 x54

On Oct 14, 2014, at 10:54 PM, Michael Stauber 
<mstau...@blueonyx.it<mailto:mstau...@blueonyx.it>> wrote:


Hi all,


I'll do some more digging and will eventually push an update that
disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give
it a few days as I want to do some more digging.

I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R,
5108R, 5208R). In order to disable SSLv3 entirely the following needs to
be done:

ProFTPd:
========

/etc/proftpd.conf
Change ...
  TLSProtocol SSLv3 TLSv1
... to ...
  TLSProtocol TLSv1
/sbin/service xinetd restart

I'll eventually build an updated proftpd and publish it to the YUM
repositories.

Apache:
========

Pretty straightforward:

In /usr/sausalito/handlers/base/apache/virtual_host.pl:
Change ...
SSLProtocol +ALL -SSLv2
... to...
SSLProtocol +ALL -SSLv3 -SSLv2
Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL
enabled to inherit the new configuration.

Dovecot:
========

This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided
by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this
Dovecot doesn't. It's simply to old for that. I tried to force it to not
use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by
my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via
SSLv3, for which this Dovecot then no longer has ciphers.

Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a
the time of this writing). Which supposedly supports TLSv1.2 and Perfect
Forwarding Secrecy.

Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx
YUM repositories to provide updates for it. Which is right now handled
by upstream OS updates.

Sendmail:
========

I'm not sure if I want to mess with its ciphers and protocols, as it
kinda works pretty well as is.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it<mailto:Blueonyx@mail.blueonyx.it>
http://mail.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx@mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

Reply via email to