This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New SSL vulnerability "Poodle" and the Userportal

Hi all,

I just found out about poodle and tested my UTM for it: It sure is vulnerable... and of course the Userportal is exposed. The Webadmin is not available form outside though.

As long as there is no fix from Sophos is it advisable to just disable SSLv3 in the httpd.conf under /var/sec/chroot-httpd/etc/httpd ?, i.e. make the "SSLProtocol all -SSLv2" to a "SSLProtocol all -SSLv2 -SSLv3" like on any other Apache Webserver?

All the best,

maybeageek

Poodle: Google Finds Vulnerability In SSL 3.0 Web Encryption - Slashdot
Test if a server is vulnerable: openssl s_client -connect IPofAPACHE:443 -ssl3

This thread was automatically locked due to age.

Parents

0 teched_01 over 10 years ago

It appears the KB article has been updated. The SMTP section currently reads:

Sophos UTM
SMTP Proxy
Disable SSLv3 for SMTP and turn TLSv1.2 back on:

Navigate to /var/chroot-smtp/etc/
Open the exim.conf with vi: vi exim.conf
Change the line openssl_options to: openssl_options = +no_sslv3
Save your changes and close the editor: :wq
Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Unfortunately Sophos doesn't appear to include any change information or notes to revert their prior recommended workaround(s).

I have updated my alternative workarounds (scripts) thread https://www.astaro.org/gateway-products/general-discussion/54160-some-alternative-poodle-workarounds-utm.html.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 teched_01 over 10 years ago

It appears the KB article has been updated. The SMTP section currently reads:

Sophos UTM
SMTP Proxy
Disable SSLv3 for SMTP and turn TLSv1.2 back on:

Navigate to /var/chroot-smtp/etc/
Open the exim.conf with vi: vi exim.conf
Change the line openssl_options to: openssl_options = +no_sslv3
Save your changes and close the editor: :wq
Now restart the smtpd service by executing /var/mdw/scripts/smtp restart

Unfortunately Sophos doesn't appear to include any change information or notes to revert their prior recommended workaround(s).

I have updated my alternative workarounds (scripts) thread https://www.astaro.org/gateway-products/general-discussion/54160-some-alternative-poodle-workarounds-utm.html.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data