Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 4 subscribers
  • Views 16702 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some alternative "Poodle" workarounds for UTM

teched_01
Use at your own risk.  I barely tested this on 9.113.

These are modified versions of Sophos' workaround directions in KB 121509.

All run as root.

Backups 
On box to directory /root/poodle-teched-YearMonthDayHourMinuteSecond-Nanoseconds.  Offload from the host on your own.  There may be errors if the service is not configured - double/triple check.  Also make backups via WebAdmin.

rsync -avR /var/chroot-httpd/etc/httpd/httpd.conf /var/chroot-reverseproxy/usr/apache/conf/httpd.conf /var/chroot-smtp/etc/exim.conf /var/chroot-pop3/etc/pop3proxy.conf /root/poodle-teched-`date +"%Y%m%d%H%M%S-%N"`/


WebAdmin, User Portal, Mail Manager, SPX reply portal
echo before; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-httpd/etc/httpd/httpd.conf; echo after; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/etc/init.d/httpd restart



Web Application Firewall
echo before; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-reverseproxy/usr/apache/conf/httpd.conf; echo after; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/var/mdw/scripts/reverseproxy restart



SMTP Proxy
Sophos appears to have revised their suggested workaround in the KB. (October 21, 2014).  
THIS IS DEPRECATEDPart one, modify tls_require_ciphers:[/s]
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2$/ s/$/:!SSLv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2

 
THIS IS DEPRECATEDPart two, slightly modified Sophos instructions: commenting out line instead of deleting for openssl_options:
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^openssl_options/ s/^/#/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
#openssl_options = +no_tlsv1_2


(Updated) eserzet's SMTP Proxy :
Sophos' new (October 21, 2014) directions appear to match this.
From eserzet's.  Don't do part one or two of Sophos' version above (this unchanged code will undo commenting out of the line if it was done in part two of Sophos' version above.  It displays but does not modify the tls_require_ciphers line.)

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected outputs:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3


Associated restart (both Sophos' and eserzet's):
/var/mdw/scripts/smtp restart



POP3
I don't use this and my (9.113) pop3proxy.conf* don't contain "tls_require_ciphers".

HTTP/HTTPS Proxy
Check original value:
UTM9.113:/root # cc get http tlsciphers_client
DEFAULT


Change value:
cc set http tlsciphers_client ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Verify:
UTM9.113:/root # cc get http tlsciphers_client
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Associated restart:
Thanks to BAlfson for noting I'd missed this at the end.
/var/mdw/scripts/httpproxy restart


This thread was automatically locked due to age.
Parents
  • 0
    a fix is on the way in the very near future for all affected sophos products.;[;)]

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    a fix is on the way in the very near future for all affected sophos products.;[;)]


    Do you have more up to date and specific information than the KB article?  If so, what is it?

    Currently: The knowledge base article lists version 9.209 and a release date of "TBA (current estimated release date 23 October 2014)".  Every other product has only "TBA" for both patched version and date.

    I put the commands together because it made me cringe thinking about the opportunities for errors and inconsistency in "open file, manually edit it, save, etc, repeat as needed".
Reply
  • 0 in reply to William Warren
    a fix is on the way in the very near future for all affected sophos products.;[;)]


    Do you have more up to date and specific information than the KB article?  If so, what is it?

    Currently: The knowledge base article lists version 9.209 and a release date of "TBA (current estimated release date 23 October 2014)".  Every other product has only "TBA" for both patched version and date.

    I put the commands together because it made me cringe thinking about the opportunities for errors and inconsistency in "open file, manually edit it, save, etc, repeat as needed".
Children
No Data
Unfiltered HTML