These are modified versions of Sophos' workaround directions in KB 121509.
All run as root.
Backups
On box to directory /root/poodle-teched-YearMonthDayHourMinuteSecond-Nanoseconds. Offload from the host on your own. There may be errors if the service is not configured - double/triple check. Also make backups via WebAdmin.
rsync -avR /var/chroot-httpd/etc/httpd/httpd.conf /var/chroot-reverseproxy/usr/apache/conf/httpd.conf /var/chroot-smtp/etc/exim.conf /var/chroot-pop3/etc/pop3proxy.conf /root/poodle-teched-`date +"%Y%m%d%H%M%S-%N"`/
WebAdmin, User Portal, Mail Manager, SPX reply portal
echo before; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-httpd/etc/httpd/httpd.conf; echo after; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf
Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3
Associated restart:
/etc/init.d/httpd restart
Web Application Firewall
echo before; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-reverseproxy/usr/apache/conf/httpd.conf; echo after; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf
Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3
Associated restart:
/var/mdw/scripts/reverseproxy restart
SMTP Proxy
Sophos appears to have revised their suggested workaround in the KB. (October 21, 2014).
THIS IS DEPRECATEDPart one, modify tls_require_ciphers:[/s]
echo before; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2$/ s/$/:!SSLv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf
Expected output:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
THIS IS DEPRECATEDPart two, slightly modified Sophos instructions: commenting out line instead of deleting for openssl_options:
echo before; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^openssl_options/ s/^/#/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf
Expected output:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
#openssl_options = +no_tlsv1_2
(Updated) eserzet's SMTP Proxy :
Sophos' new (October 21, 2014) directions appear to match this.
From eserzet's. Don't do part one or two of Sophos' version above (this unchanged code will undo commenting out of the line if it was done in part two of Sophos' version above. It displays but does not modify the tls_require_ciphers line.)
echo before; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf
Expected outputs:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3
Associated restart (both Sophos' and eserzet's):
/var/mdw/scripts/smtp restart
POP3
I don't use this and my (9.113) pop3proxy.conf* don't contain "tls_require_ciphers".
HTTP/HTTPS Proxy
Check original value:
UTM9.113:/root # cc get http tlsciphers_client
DEFAULT
Change value:
cc set http tlsciphers_client ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA
Verify:
UTM9.113:/root # cc get http tlsciphers_client
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA
Associated restart:
Thanks to BAlfson for noting I'd missed this at the end.
/var/mdw/scripts/httpproxy restart
This thread was automatically locked due to age.
