This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some alternative "Poodle" workarounds for UTM

Use at your own risk.  I barely tested this on 9.113.

These are modified versions of Sophos' workaround directions in KB 121509.

All run as root.

Backups 
On box to directory /root/poodle-teched-YearMonthDayHourMinuteSecond-Nanoseconds.  Offload from the host on your own.  There may be errors if the service is not configured - double/triple check.  Also make backups via WebAdmin.

rsync -avR /var/chroot-httpd/etc/httpd/httpd.conf /var/chroot-reverseproxy/usr/apache/conf/httpd.conf /var/chroot-smtp/etc/exim.conf /var/chroot-pop3/etc/pop3proxy.conf /root/poodle-teched-`date +"%Y%m%d%H%M%S-%N"`/


WebAdmin, User Portal, Mail Manager, SPX reply portal
echo before; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-httpd/etc/httpd/httpd.conf; echo after; grep SSLProtocol /var/chroot-httpd/etc/httpd/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/etc/init.d/httpd restart



Web Application Firewall
echo before; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf ; sed -i '/^SSLProtocol all -SSLv2$/ s/$/ -SSLv3/' /var/chroot-reverseproxy/usr/apache/conf/httpd.conf; echo after; grep SSLProtocol /var/chroot-reverseproxy/usr/apache/conf/httpd.conf


Expected output:
before
SSLProtocol all -SSLv2
after
SSLProtocol all -SSLv2 -SSLv3


Associated restart:
/var/mdw/scripts/reverseproxy restart



SMTP Proxy
Sophos appears to have revised their suggested workaround in the KB. (October 21, 2014).  
THIS IS DEPRECATEDPart one, modify tls_require_ciphers:[/s]
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2$/ s/$/:!SSLv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2

 
THIS IS DEPRECATEDPart two, slightly modified Sophos instructions: commenting out line instead of deleting for openssl_options:
echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i '/^openssl_options/ s/^/#/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected output:

before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3
#openssl_options = +no_tlsv1_2


(Updated) eserzet's SMTP Proxy :
Sophos' new (October 21, 2014) directions appear to match this.
From eserzet's.  Don't do part one or two of Sophos' version above (this unchanged code will undo commenting out of the line if it was done in part two of Sophos' version above.  It displays but does not modify the tls_require_ciphers line.)

echo before; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf; sed -i 's/^#openssl_options/openssl_options/; s/no_tlsv1_2/no_sslv3/' /var/chroot-smtp/etc/exim.conf; echo after; grep tls_require_ciphers  /var/chroot-smtp/etc/exim.conf ; grep openssl_options /var/chroot-smtp/etc/exim.conf


Expected outputs:
before
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_tlsv1_2
after
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3


Associated restart (both Sophos' and eserzet's):
/var/mdw/scripts/smtp restart



POP3
I don't use this and my (9.113) pop3proxy.conf* don't contain "tls_require_ciphers".

HTTP/HTTPS Proxy
Check original value:
UTM9.113:/root # cc get http tlsciphers_client
DEFAULT


Change value:
cc set http tlsciphers_client ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Verify:
UTM9.113:/root # cc get http tlsciphers_client
ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA[[:P]]SK-RC4-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA


Associated restart:
Thanks to BAlfson for noting I'd missed this at the end.
/var/mdw/scripts/httpproxy restart


This thread was automatically locked due to age.
Parents
  • Thanks BAlfson for the QA check - perhaps part of my preference for automation/scripting is knowing that I am prone to errors and oversights with repeated actions.

    Here is an example logic wrapped restart/stop:
    if [ `cc get smtp status` == 1 ] ; then /var/mdw/scripts/smtp restart ; else /var/mdw/scripts/smtp stop; fi


    If the output of "cc get smtp status" is 1 then run the smtp restart command, otherwise run the smtp stop command.
Reply
  • Thanks BAlfson for the QA check - perhaps part of my preference for automation/scripting is knowing that I am prone to errors and oversights with repeated actions.

    Here is an example logic wrapped restart/stop:
    if [ `cc get smtp status` == 1 ] ; then /var/mdw/scripts/smtp restart ; else /var/mdw/scripts/smtp stop; fi


    If the output of "cc get smtp status" is 1 then run the smtp restart command, otherwise run the smtp stop command.
Children
No Data