Hello, modify line 138 in file /etc/httpd/conf.d/ssl_perl.conf and restart apache for the VSites. And modify line 46 in file /etc/admserv/conf.d/ssl.conf for admserv. Restart admserv after change.
Best regards, Dirk Black Point Arts Internet Solutions GmbH - Hanauer Landstrasse 423a - 60314 Frankfurt Von: blueonyx-boun...@mail.blueonyx.it [mailto:blueonyx-boun...@mail.blueonyx.it] Im Auftrag von Matt James Gesendet: Freitag, 17. Oktober 2014 14:53 An: BlueOnyx General Mailing List Betreff: [BlueOnyx:16211] Re: SSL v3 POODLE vulnerability Hi Michael, Thanks for the great instructions! We really appreciate how on top of this you are. I was able to shut off SSL3 for ProFTPd no problem, but my work to turn it off for Apache came up short. I'm running a 5107R and was unable to find the "SSLProtocol +ALL -SSLv2" reference in /usr/sausalito/handlers/base/apache/virtual_host.pl. I did a search for "SSL" looking for similar lines and found only unrelated strings. Can you confirm that this is the file to edit for a 5107R? Thanks! -- Matt James RainStorm, Inc<http://rainstorminc.com> (207) 866-3908 x54 On Oct 14, 2014, at 10:54 PM, Michael Stauber <mstau...@blueonyx.it<mailto:mstau...@blueonyx.it>> wrote: Hi all, I'll do some more digging and will eventually push an update that disables the SSL v3.0 protocol on all BlueOnyx versions. But I'll give it a few days as I want to do some more digging. I just did some digging and testing on EL6 based BlueOnyx (5107R, 5207R, 5108R, 5208R). In order to disable SSLv3 entirely the following needs to be done: ProFTPd: ======== /etc/proftpd.conf Change ... TLSProtocol SSLv3 TLSv1 ... to ... TLSProtocol TLSv1 /sbin/service xinetd restart I'll eventually build an updated proftpd and publish it to the YUM repositories. Apache: ======== Pretty straightforward: In /usr/sausalito/handlers/base/apache/virtual_host.pl: Change ... SSLProtocol +ALL -SSLv2 ... to... SSLProtocol +ALL -SSLv3 -SSLv2 Run /usr/sausalito/sbin/SSL_fixer.pl to update all VSites that have SSL enabled to inherit the new configuration. Dovecot: ======== This is the nasty bugger. On EL6 we're using Dovecot 2.0.9 as provided by RedHat, CentOS or SL. Even though our OpenSSL supports TLSv1.2, this Dovecot doesn't. It's simply to old for that. I tried to force it to not use SSLv3 but to use TLSv1.0 instead. That didn't work. It started, by my Thunderbird on Ubuntu 14.04 LTS still insisted in connecting via SSLv3, for which this Dovecot then no longer has ciphers. Ideally we'd need to update to Dovecot 2.2.X (v2.2.14 is the newest a the time of this writing). Which supposedly supports TLSv1.2 and Perfect Forwarding Secrecy. Which then means I'd have to maintain Dovecot-2.2 out of the BlueOnyx YUM repositories to provide updates for it. Which is right now handled by upstream OS updates. Sendmail: ======== I'm not sure if I want to mess with its ciphers and protocols, as it kinda works pretty well as is. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it<mailto:Blueonyx@mail.blueonyx.it> http://mail.blueonyx.it/mailman/listinfo/blueonyx
_______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx