Re: SSLv3 attack on pop3?
On Fri, Oct 31, 2014 at 03:47:33PM -0400, Charles Marcus wrote: > On 10/31/2014 3:02 PM, Hans Morten Kind wrote: > > This makes me anxious that some have made some poodle-like thing for pop3? > > Can you show full log entries? There is much more to show, but have a peek on port 995 with https://isc.sans.edu/port.html The boost seems to have passed hmk
Re: SSLv3 attack on pop3?
On 10/31/2014 3:02 PM, Hans Morten Kind wrote: > We turned off SSLv3 support on our pop/imap running dovecot on Oct 16th, > we did check that all users where using TLSv1 and there have been no > complaints (except one old windows-phone). > > But at 13:00 UTC today, suddenly strange entries is seen in the logfile: > Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 > alert unexpected message: SSL alert number 10 > > Followed by: > pop3-login: Disconnected (no auth attempts in 2 secs) user=<>, rip= > > Some 20 ips have been seen so far, all ips are uniq and none have used our > server lately. Just one resoved and it's name ends .cn, some lookups with > whois > leads to the same origin for all. > > This makes me anxious that some have made some poodle-like thing for pop3? Can you show full log entries?
SSLv3 attack on pop3?
We turned off SSLv3 support on our pop/imap running dovecot on Oct 16th, we did check that all users where using TLSv1 and there have been no complaints (except one old windows-phone). But at 13:00 UTC today, suddenly strange entries is seen in the logfile: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10 Followed by: pop3-login: Disconnected (no auth attempts in 2 secs) user=<>, rip= Some 20 ips have been seen so far, all ips are uniq and none have used our server lately. Just one resoved and it's name ends .cn, some lookups with whois leads to the same origin for all. This makes me anxious that some have made some poodle-like thing for pop3? hmk
