[ALUG] This poodle bites: Disable SSLv3

Wed Oct 15 21:15:50 EAT 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SSLv3 is already 15 years old and deprecated since years but is still
in use.
Now Google employed security researches found a weakness in SSLv3 and
named it Poodle [1]

The main problem is: An attacker can influence the connection during
it is established and forcing the use of SSLv3. Then he can force the
fall-back to a weak cipher.

Clients can disable it easy.
Firefox:
Open about:config
Search for security.tls.version.min and set it to 1.
For Thundebird the plugin SSL Version Control [2] is needed.

With the next version of Firefox and Thunderbird released on 25.
November SSLv3 will be disabled and a TLS downgrade protection enabled
by default.

Chrome must be started with the command line option
- --ssl-version-min=tls1

On the server side also to disable:

To disable it in dovecot (min version 2.1 is needed to support
ssl_protocols for elder versions the source has to be patched - then
anyway a good reason to upgrade to 2.2):

ssl_protocols = !SSLv2 !SSLv3

Forcing PSF and diabling some other old and weak ciphers:

ssl_cipher_list = DHE-RSA-AES256-SHA: \
DHE-RSA-AES128-SHA:!aNULL:!eNULL: \
!LOW:!3DES:!MD5:!EXP:!CBC:!PSK:!SRP:!DSS:!RC4

For postfix (min. version 2.6) it is similar:

smtpd_tls_mandatory_protocols = TLSv1, !SSLv2, !SSLv3

Disabling some ciphers

smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, LOW, 3DES, MD5, \
EXP, CBC, PSK, SRP, DSS, MD5, RC4

And in apache (version 2.2.23 or patched older 2.2 versions):

SSLProtocol ALL -SSLv2 -SSLv3

Forcing stronger ciphers and disabling old ones

SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM: \
EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384: \
EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA: \
!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Disabling SSLv3 and some of the weak ciphers might give some problems
for users still using XP with really outdated versions of IE and Office.
They have simply to upgrade everything (and anyway urgent).
A good moment to give a penguin a shelter ;)

Andreas

[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJUPrnWAAoJEEeUknxlyOoQ2aIP+gNuOsf1IrcbxRwa/RqdFkgw
mJuWXdOK+fnzpdi313X94IKfh17sTW94w5LnT1elWwX2RErMqot3C4XOv+glEUQM
K+WWEsfQ1gLMJwLWhyrJJVIfygDO22auUpBdUK+oSK6AWBqAMdQXWU0dbbCZ7x8v
Lrq9y5sck/bh6/DEWQWhXFUH0Sb4BgONYR90xGAdrkQb737oolnrR5unUStNxzLD
XzPVZDh5dbyNKSLNG0viDZGik4u8I+Cj5ONUizMUkLfTQBZaEElryiezcPPE9DWy
Z5K975D9PHHQFgUC9EN/PWGe+yzGr6I+XUrXAuju29I0kTGqkzQ7dqLmoBoL2q7G
2g3l4+oqfz17ErGnexuxSwpYL1md6cryct5oiCRdAYZtdXrxH8amgxS+PdpiCfMo
wLwCq71cIsfPzEQgMZSfMQwPQDbdjAy+1bG7tKViwk863ZLaAUp/4FDw278LFYlU
MTR0Twm5PV4QuSWXV2TdyeJwUXWJD6+RQHEoU/F1QEO10kuFAgD3oyKld9OGTHia
N9/+eQ7tMCgQKmEs2iswU/z4ncHb5U/lCEhhbszgFbuxnJiRDRiSqTjUE1YNH+6m
nkAw0ZmqGbd0/oSz1+FoM4/CuixQTu9f+LVAn8CwlaogR1O5bcr3cIlVFvsvYsce
RjLo8H7eRE3UmiSU+jjB
=jBkO
-----END PGP SIGNATURE-----