Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 16697 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some alternative "Poodle" workarounds for UTM

teched_01
Use at your own risk.  I barely tested this on 9.113.

These are modified versions of Sophos' workaround directions in KB 121509.

All run as root.

Backups 
On box to directory /root/poodle-teched-YearMonthDayHourMinuteSecond-Nanoseconds.  Offload from the host on your own.  There may be errors if the service is not configured - double/triple check.  Also make backups via WebAdmin.

rsync -avR /var/chroot-httpd/etc/httpd/httpd.conf /var/chroot-reverseproxy/usr/apache/conf/httpd.conf /var/chroot-smtp/etc/exim.conf /var/chroot-pop3/etc/pop3proxy.conf /root/poodle-teched-`date +"%Y%m%d%H%M%S-%N"`/


WebAdmin, User Portal, Mail Manager, SPX reply portal
echo before; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-httpd/etc/httpd/httpd.conf; echo after; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/etc/init.d/httpd restart



Web Application Firewall
echo before; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-reverseproxy/usr/apache/conf/httpd.conf; echo after; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/var/mdw/scripts/reverseproxy restart



SMTP Proxy
Sophos appears to have revised their suggested workaround in the KB. (October 21, 2014).  
THIS IS DEPRECATEDPart one, modify tls_require_ciphers:[/s]
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2$/ s/$/:!SSLv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2

 
THIS IS DEPRECATEDPart two, slightly modified Sophos instructions: commenting out line instead of deleting for openssl_options:
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^openssl_options/ s/^/#/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
#openssl_options = +no_tlsv1_2


(Updated) eserzet's SMTP Proxy :
Sophos' new (October 21, 2014) directions appear to match this.
From eserzet's.  Don't do part one or two of Sophos' version above (this unchanged code will undo commenting out of the line if it was done in part two of Sophos' version above.  It displays but does not modify the tls_require_ciphers line.)

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected outputs:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3


Associated restart (both Sophos' and eserzet's):
/var/mdw/scripts/smtp restart



POP3
I don't use this and my (9.113) pop3proxy.conf* don't contain "tls_require_ciphers".

HTTP/HTTPS Proxy
Check original value:
UTM9.113:/root # cc get http tlsciphers_client
DEFAULT


Change value:
cc set http tlsciphers_client ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Verify:
UTM9.113:/root # cc get http tlsciphers_client
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Associated restart:
Thanks to BAlfson for noting I'd missed this at the end.
/var/mdw/scripts/httpproxy restart


This thread was automatically locked due to age.
  • 0

    Part two alternative foreserzet's changes:

    echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


    Expected outputs:
    before
    tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
    openssl_options = +no_tlsv1_2
    after
    tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
    openssl_options = +no_sslv3

    OR 
    before
    tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
    #openssl_options = +no_tlsv1_2
    after
    tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
    openssl_options = +no_sslv3


    Associated restart:
    /var/mdw/scripts/smtp restart




    Maybe I wasn't clear enough at the other thread.

    It is important that you DO NOT add "!SSLv3" to tls_require_ciphers - that's what I meant by "Instead we changed only the option" ... ;-)

    If you add this, you have again only support for TLSv1.2 .

    So for summarizing, the only one change to the exim.conf you need to do is:

    alter

    openssl_options = +no_tlsv1_2


    to

    openssl_options = +no_sslv3


    nothing else! Then you have TLS1, TLS1.1 and TLS1.2 support.
  • 0 in reply to eserzet_01

    It is important that you DO NOT add "!SSLv3" to tls_require_ciphers - that's what I meant by "Instead we changed only the option" ... ;-)


    Thank you for the clarification.  I have update the original post.

    This should strip :!SSLv3 if it was added to the line: 

    sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2/ s/:!SSLv3//' /var/chroot-smtp/etc/exim.conf
  • 0
    a fix is on the way in the very near future for all affected sophos products.;[;)]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    a fix is on the way in the very near future for all affected sophos products.;[;)]


    Do you have more up to date and specific information than the KB article?  If so, what is it?

    Currently: The knowledge base article lists version 9.209 and a release date of "TBA (current estimated release date 23 October 2014)".  Every other product has only "TBA" for both patched version and date.

    I put the commands together because it made me cringe thinking about the opportunities for errors and inconsistency in "open file, manually edit it, save, etc, repeat as needed".
  • 0
    nopers..but sophos has a track record of getting major things like this fixed.  I think ssl should be fully deprecated in favor of tls now Internet wide.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0
    Sophos appears to have revised the KB article.  I have updated my post noting the deprecated Part one and Part two of the SMTP section.

    The new directions appear to match eserzet's.  The script in post 4 strips the prior recommended :!SSLv3 from any lines that start "tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2".
  • 0
    Thanks, teched!

    Note that you shouldn't restart the proxies unless they're already running.  At least, with the Reverse Proxy, I found that caused a strange message every 30 minutes and I had to go in at two sites and run /var/mdw/scripts/reverseproxy stop.  I have no clients using the POP3 Proxy, and all run Web Filtering so only WAF and SMTP are shown here.

    cc get reverse_proxy status
    cc get smtp status


    Also, aren't you missing the httpproxy restart?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks BAlfson for the QA check - perhaps part of my preference for automation/scripting is knowing that I am prone to errors and oversights with repeated actions.

    Here is an example logic wrapped restart/stop:
    if [ `cc get smtp status` == 1 ] ; then /var/mdw/scripts/smtp restart ; else /var/mdw/scripts/smtp stop; fi


    If the output of "cc get smtp status" is 1 then run the smtp restart command, otherwise run the smtp stop command.
Unfiltered HTML