This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.210020 released

Up2Date 9.210020 package description:

Remarks:
System will be rebooted
Configuration will be upgraded
Connected Wifi APs will perform firmware upgrade

News:
Maintenance Release

Bugfixes:
Fix [27257]: RED50 frequently reconnecting because configuring an Additional Address as UTM-Hostname is not supported
Fix [27588]: Unable to fetch POP3 accounts on iOS devices via POP3 Proxy
Fix [27647]: aua does not work with facility http while installing basic guard license
Fix [27905]: [BETA] log the mac addresses human readable with leading zeros in the packetfilter log
Fix [28056]: it's not possible to view or download large log files in the webadmin because root partition is too small
Fix [28400]: Syslog not started after ipsbundle pattern installation
Fix [28842]: HA takeover if master reboots takes too much time
Fix [28966]: exceptions for Common Threat Filters do not work individually
Fix [29412]: Wireless Security Manager Role can't accept new AP's
Fix [30800]: [BETA] Some double byte characters aren't filtered by DLP custom rule and AntiSpam Expressions filter.
Fix [31083]: Remote SSL VPN view is empty in printable configuration
Fix [31340]: rsyncd not started after switching to master mode (slave node hangs in syncing state)
Fix [31387]: ad-sid-sync.pl is executed even if AD sync is disabled
Fix [31534]: Wrong date in executive report
Fix [31581]: Up2date pattern rpm's fails to install if hostname contains '/' character.
Fix [31859]: Make http proxy handle uncompressed DNS responses
Fix [32034]: Full transparent AD SSO redirect URL request gets dropped by packetfilter
Fix [32079]: UMTS modem device hanging
Fix [32097]: High load after pattern installation [9.2]
Fix [32190]: Policy tester always returns "allowed" if warn page is proceeded once
Fix [32391]: UMTS interface doesn't come up again after the speed changed from 4G to 3G
Fix [32433]: Not possible to delete VPN tunnel managed by SUM after use "cleanup object"
Fix [32537]: Guest login fails in transparent browser auth mode if "terms of use" confirmation is required
Fix [32552]: Quarantined mail will be quarantine again after release with the same reason
Fix [32588]: Can't restore backup beacause of an undefined value
Fix [32602]: Web control policy not applying to endpoints
Fix [32604]: Special characters like umlauts didn't work in passwords with reverse authentication for the WAF
Fix [32607]: Not possible to use virtual mac on lag interfaces
Fix [32683]: Can't send a VPN Profile to the SMC if the Organization Name includes a umlaut
Fix [32690]: It's not possible to use Subfolders for Remote Log File Archives over SMB on CIFS share
Fix [32696]: Hotspot: only one login possible per username for backend authentication hotspot
Fix [32703]: Multicast traffic problems after upgrading to SG430 and 9.204
Fix [32711]: Mail preview should display kyrilic or chinese chars too.
Fix [32713]: Console keyboard doesn't work
Fix [32726]: Dashboard does not show Antivirus active protocols for HTTP/S
Fix [32794]: vpn-reporter.pl segfault in get_amazonvpc
Fix [32805]: NETDEV WATCHDOG: eth0 (tg3): transmit queue 0 timed out
Fix [32832]: Remote Syslog Server IPv6 support
Fix [32837]: vpn-reporter.pl segfaults, error 4 in libc-2.11.3.so
Fix [32851]: Device auth reports wrong client information
Fix [32852]: Any SSL traffic through HTTP proxy gets classified as "Sophos Portal" if a "Sophos Portal" AppCtrl rule exists
Fix [32870]: ad-sid-sync.pl fails to lookup trusted domains groups
Fix [32940]: SG550: Licensing does not work if module is relocated after installation
Fix [32950]: Configuring a whitelist in webfilter filter action appears in blacklist on UTM
Fix [32957]: winbindd died in kernel_vsyscall
Fix [32969]: Coredumps from reverseproxy after update to v9.206
Fix [32972]: IPS exception does not work for SID 18575
Fix [32980]: Remove RC4 from TLS ciphers in Exim
Fix [33019]: After upgrading to iOS 8 UTM does not recognize iOS anymore (Device-specific Authentication)
Fix [33111]: Group matching incorrect if user belongs to static and backend groups
Fix [33277]: [9.2] Add support for passthrough NTLM connection
Fix [33307]: Not possible to change TLS certificate
Fix [33323]: Using @ in hostname results in corrupt /etc/syslog-ng.conf
Fix [33382]: Config changes in IPsec remote access sometime causing a drop of established connections
Fix [33429]: AP100: Unable to authenticate with an SSID using a PSK with a dollar character
Fix [33515]: SMTP Vulnerability in SSL v3.0
Fix [33516]: POP3 Vulnerability in SSL v3.0
Fix [33613]: OS X HTTPS traffic identified as iOS

RPM packages contained:
libaviraglue-9.20-3.g76595be.i686.rpm
libopenssl1_0_0-1.0.1j-1.gddc1804.i686.rpm
libopenssl1_0_0_httpproxy-1.0.1j-1.gddc1804.i686.rpm
cm-nextgen-agent-9.20-45.g7830967.i686.rpm
firmware-wifi-9300-0.180461091.g94e5548.rb1.i586.rpm
modformhardening-9.20-173.gad1d078.i686.rpm
modreverseauth-9.20-149.gfedf026.i686.rpm
openssl-1.0.1j-1.gddc1804.i686.rpm
p0f-3.07b-8.g55b53f9.i686.rpm
perf-tools-3.8.13.27-44.ga69a590.i686.rpm
postgresql92-9.2.9-1.g0c4287a.rb1.i686.rpm
red-firmware2-3057-0.gc7e7ee3.noarch.rpm
samba-3.6.22-2.g46dfc24.i686.rpm
ulogd-2.1.0-100.g834e524.i686.rpm
ep-reporting-9.20-65.g85b1cb6.i686.rpm
ep-reporting-c-9.20-42.g1564146.i686.rpm
ep-reporting-resources-9.20-65.g85b1cb6.i686.rpm
ep-aua-9.20-67.g286c591.i686.rpm
ep-branding-ASG-afg-9.20-19.gce57bb5.noarch.rpm
ep-branding-ASG-ang-9.20-19.gce57bb5.noarch.rpm
ep-branding-ASG-asg-9.20-19.gce57bb5.noarch.rpm
ep-branding-ASG-atg-9.20-19.gce57bb5.noarch.rpm
ep-branding-ASG-aug-9.20-19.gce57bb5.noarch.rpm
ep-confd-9.20-605.gc56416c.i686.rpm
ep-confd-tools-9.20-554.g19d0413.i686.rpm
ep-endpoint-0.5-0.178898192.g2e0921c.i686.rpm
ep-epsecd-9.20-12.g081e6a1.i686.rpm
ep-ha-9.20-11.g60985a0.i686.rpm
ep-hardware-9.20-60.g5922884.i686.rpm
ep-hotspot-web-9.20-24.g1c108ac.i686.rpm
ep-init-9.20-22.gfeb095a.noarch.rpm
ep-ipsctl-0.5-0.178020510.gde3ba1e.noarch.rpm
ep-localization-afg-9.20-19.g681ae06.i686.rpm
ep-localization-ang-9.20-19.g681ae06.i686.rpm
ep-localization-asg-9.20-19.g681ae06.i686.rpm
ep-localization-atg-9.20-19.g681ae06.i686.rpm
ep-localization-aug-9.20-19.g681ae06.i686.rpm
ep-logging-9.20-6.ge357bb6.i686.rpm
ep-mdw-9.20-401.g88c863e.i686.rpm
ep-p0f-9.20-12.g55b53f9.noarch.rpm
ep-red-9.20-30.gdd1601b.rb1.i686.rpm
ep-repctl-0.1-0.182346498.gc0c4f6f.i686.rpm
ep-up2date-9.20-6.g9d405f7.i686.rpm
ep-up2date-downloader-9.20-6.g9d405f7.i686.rpm
ep-up2date-pattern-install-9.20-6.g9d405f7.i686.rpm
ep-up2date-system-install-9.20-6.g9d405f7.i686.rpm
ep-webadmin-9.20-575.gd71df65.i686.rpm
ep-webadmin-contentmanager-9.20-65.ga00a27d.i686.rpm
ep-chroot-dhcps-9.20-5.g1f3cb0c.noarch.rpm
ep-chroot-smtp-9.20-202.g8f44f53.i686.rpm
chroot-ppp-2.4.6-10.g103a4b0.i686.rpm
chroot-pppoe-2.4.6-10.g103a4b0.i686.rpm
chroot-reverseproxy-2.4.4-395.ga058b67.i686.rpm
ep-chroot-pop3-9.20-5.g88d1bb0.i686.rpm
ep-httpproxy-9.20-217.gb496dea.i686.rpm
kernel-smp-3.8.13.27-44.ga69a590.i686.rpm
kernel-smp64-3.8.13.27-44.ga69a590.x86_64.rpm
ep-release-9.210-20.noarch.rpm

This thread was automatically locked due to age.

Parents

0 Gerken over 10 years ago

With this Update I often get the message "TLS error on connection from ..." and "TLS client disconnected cleanly (rejected our certificate?)". I have to add sender in the Skip TLS negotiation hosts/nets List.

Any Idea?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Gerken over 10 years ago

With this Update I often get the message "TLS error on connection from ..." and "TLS client disconnected cleanly (rejected our certificate?)". I have to add sender in the Skip TLS negotiation hosts/nets List.

Any Idea?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 jlan over 10 years ago in reply to Gerken

With this Update I often get the message "TLS error on connection from ..." and "TLS client disconnected cleanly (rejected our certificate?)". I have to add sender in the Skip TLS negotiation hosts/nets List.

Any Idea?

same problem here ... [:S]

2014:12:02-16:16:42 utm-1 exim-in[6625]: 2014-12-02 16:16:42 TLS error on connection from mail.... (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I restored the original exim.conf without tls1.2 modification and without the ssl v3 modification -> works again with tls1.1 and ssl3
Cancel
Vote Up 0 Vote Down

Cancel
0 ondrej.holas over 10 years ago in reply to jlan
same problem here ... [:S]

2014:12:02-16:16:42 utm-1 exim-in[6625]: 2014-12-02 16:16:42 TLS error on connection from mail.... (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I restored the original exim.conf without tls1.2 modification and without the ssl v3 modification -> works again with tls1.1 and ssl3

After update to 9.210 the POP3 proxy gives the same error (no shared cipher) with POP3 clients that do not support TLS 1.2 (for example Outlook 2007 @ Vista).

The problem is caused by the fix 33516, which adds !SSLv3 to ciphers in pop3proxy.conf (manual fix for pre-9.210 is described here: The SSL v3.0 CBC (Poodle) vulnerability: affected versions, recommended steps and workarounds).

Although this configuration change is effective against POODLE attack, it disables TLS 1.0 along with SSL 3.0, since !SSLv3 in cipher list removes all CIPHER SUITES associated with SSL 3.0 (which are used by TLS 1.0 as well) from cipher suite negotiation, instead of disabling PROTOCOL by its version (3.0). As a result, only TLS 1.2 is negotiable:

$ openssl ciphers -v RC4:HIGH:\!MD5:\!aNULL:\!EDH:\!SSLv3
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256

To be exact, openssl code, when configured this way, still allows both SSL 3.0 and TLS 1.0 (both protocols are supported and responded by the client-facing side of POP3 proxy), but neither have negotiable cipher suite. Unlike SMTP (exim), the POP3 proxy does not seem to include that openssl_options config value for properly disabling protocol by its version.

As a quick fix to make POP3 TLS 1.0 clients work again, revert the changes done by the fix 33516 - remove ":!SSLv3" from pop3proxy.conf and pop3proxy.conf-default (see original KB article: The SSL v3.0 CBC (Poodle) vulnerability: affected versions, recommended steps and workarounds). Hoping that we'll see new config option for SSL/TLS protocol version control in future update.

Rgds,

Ondrej
Cancel
Vote Up 0 Vote Down

Cancel
0 jlan over 10 years ago in reply to ondrej.holas

thats why the 9.208 version of exim.conf works ...

the 9.210 (with value,too) gives us just many, many denied smtp connections and angry customers !

anyone with 9.3xx having similar problems ?
Cancel
Vote Up 0 Vote Down

Cancel