Today, I implementd the suggestions from Sophos KB 121509 regarding POODLE. I noticed from the logs that this causes a lot of incoming mail to fail with
SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
So it seems that a lot of mail servers out there do not support decent ciphers. In most cases, they should fallback to cleartext - but is that what we want? The way I understand poodle, a lot of spurious connections are initiated from an attacked client in order to let slowly leak internal information (e.g. http cookies) byte by byte; whereas "legitimate" transmissions are - essentially - not affected. While I don't see how the http scenario translates well to smtp (could an attacker cause a client to try to send many mails with varying senders, say, to leak .... what? The subject?), it seems that a lot of "slightly" broken TLS-secured email is downgraded to complete clear text by the countermeasures.
Of course it would be best if the mail servers "out there" implemented at least some acceptable ciphers. But I'm afraid that (especially once 9.209 will be rolled out) more mails are exposed in clear than would be necessary.
I also just notice that some mails simply fail *without* fallback to cleartext, namely if the senders want to enforce TLS and don't find a common cipher; examples I stumbled upon are startssl.com and commerzbank.com (of course it's a shame for a CA and a bank to still be poodle-vulnerable, but ...)
Any thoughts on this? Could it be recommended to keep SSLv3 alive for smtp?
Thanks,
Hagen
This thread was automatically locked due to age.
