Some alternative "Poodle" workarounds for UTM

Use at your own risk.  I barely tested this on 9.113.

These are modified versions of Sophos' workaround directions in KB 121509.

All run as root.

Backups 
On box to directory /root/poodle-teched-YearMonthDayHourMinuteSecond-Nanoseconds.  Offload from the host on your own.  There may be errors if the service is not configured - double/triple check.  Also make backups via WebAdmin.

rsync -avR /var/chroot-httpd/etc/httpd/httpd.conf /var/chroot-reverseproxy/usr/apache/conf/httpd.conf /var/chroot-smtp/etc/exim.conf /var/chroot-pop3/etc/pop3proxy.conf /root/poodle-teched-`date +"%Y%m%d%H%M%S-%N"`/

WebAdmin, User Portal, Mail Manager, SPX reply portal

echo before; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-httpd/etc/httpd/httpd.conf; echo after; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf

Expected output:

before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3

Associated restart:

/etc/init.d/httpd restart

Web Application Firewall

echo before; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-reverseproxy/usr/apache/conf/httpd.conf; echo after; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf

Expected output:

before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3

Associated restart:

/var/mdw/scripts/reverseproxy restart

SMTP Proxy
Sophos appears to have revised their suggested workaround in the KB. (October 21, 2014).  
THIS IS DEPRECATEDPart one, modify tls_require_ciphers:[/s]

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2$/ s/$/:!SSLv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf

Expected output:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2

 
THIS IS DEPRECATEDPart two, slightly modified Sophos instructions: commenting out line instead of deleting for openssl_options:

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^openssl_options/ s/^/#/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf

Expected output:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
#openssl_options = +no_tlsv1_2

(Updated) eserzet's SMTP Proxy :
Sophos' new (October 21, 2014) directions appear to match this.
From eserzet's.  Don't do part one or two of Sophos' version above (this unchanged code will undo commenting out of the line if it was done in part two of Sophos' version above.  It displays but does not modify the tls_require_ciphers line.)

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf

Expected outputs:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3

Associated restart (both Sophos' and eserzet's):

/var/mdw/scripts/smtp restart

POP3
I don't use this and my (9.113) pop3proxy.conf* don't contain "tls_require_ciphers".

HTTP/HTTPS Proxy
Check original value:

UTM9.113:/root # cc get http tlsciphers_client
DEFAULT

Change value:

cc set http tlsciphers_client ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA

Verify:

UTM9.113:/root # cc get http tlsciphers_client
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA

Associated restart:
Thanks to BAlfson for noting I'd missed this at the end.

/var/mdw/scripts/httpproxy restart

This thread was automatically locked due to age.