Poodle and Kolab

hede kolab983 at der-he.de
Thu Oct 23 12:03:03 CEST 2014


Am Thu, 23 Oct 2014 12:41:55 +0400 schrieb dsp3 <info at dsp3.org>:

> > Well, while limiting ciphers maybe is an additional security option to
> > limit ssl/tls to strong encryptiom, this list seems not sufficient to
> > limit OpenSSL to TLS and not using SSLv3.
> 
> You can see the test results of an Apache/Openssl server with the listed 
> ciphers here:
> https://www.ssllabs.com/ssltest/analyze.html?d=testbit.eu
> "This server is not vulnerable to the POODLE attack because it doesn't 
> support SSL 3"

Maybe you have disabled SSLv3 somewhere else. I haven't set any manual SSLCipherSuite, but SSLv3 is disabled via:
SSLProtocol All -SSLv2 -SSLv3

If I enable SSLv3 and set your cipher suite:
SSLProtocol All -SSLv2
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS

... then I can connect via SSLv3. Therefore also with apache this ciphers are not sufficient to prevent from poodle. 

At least it's working that way here with apache 2.2 from the kolab 3.2 repository for debian 7. Maybe newer (or other) versions automatically disable SSLv3 in any kind.

Btw: It's not the latest apache for debian 7, debian has updated its v2.2 some time ago. I'll try to switch to the debian version because kolab 3.2 won't get updated any more!? And I'm still not able to upgrade to kolab 3.3 :-(
(have to find out if it's possible to switch if I go without 389ds-admin...)

> EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!LOW:!RC4:!MD5:!EXP:!PSK:!SRP:!DSS
> 
> If someone tests it with imapd, I'd be interested to see whether or not 
> ssl3 is actually excluded. However, the more elegant solution is 
> certainly to wait for a patched cyrus2.5.

I have done that and ssl3 is still usable. With both, cyrus and apache. At least for me...

regards 
hede


More information about the users mailing list