Securing Baruwa aganist POODLE SSLv3 vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Securing Baruwa aganist POODLE SSLv3 vulnerability

Andrew Colin Kissa
Administrator
Hi All,

Please refer to our post - http://bit.ly/1sOt64S

- Andrew

_______________________________________________
http://pledgie.com/campaigns/12056

signature.asc (858 bytes) Download Attachment
--
Baruwa - www.baruwa.org
Reply | Threaded
Open this post in threaded view
|

Re: Securing Baruwa aganist POODLE SSLv3 vulnerability

jvangent
Hi there,

This works on the Enterprise version, it does not work on the community version. I am using a compiled version of exim 4.82 with the following features enabled:

Exim version 4.82 #19 built 17-Oct-2014 12:34:05
Copyright (c) University of Cambridge, 1995 - 2013
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013
Berkeley DB: Berkeley DB 4.8.30: (April  9, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc OpenSSL move_frozen_messages Content_Scanning DKIM Old_Demime Experimental_SPF Experimental_TPDA
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf


However including both TLSv1.2+HIGH and !SSLv3 leads to exim refusing to startup:

2014-10-17 14:43:19 Exim configuration error:
  tls_require_ciphers invalid: SSL_CTX_set_cipher_list(TLSv1.2+HIGH:TLSv1+HIGH:!SSLv2:!SSLv3:RC4+MEDIUM:!aNULL:!eNULL:!3DES:!MD5:!PSK:!KRB5:@STRENGTH) failed
 * Warning! Invalid configuration file for exim4. Exiting....            [fail]

So I cannot disable sslv3. Any ideas, am I missing something, or using some outdated openssl library ?



________________________________________
Van: [hidden email] <[hidden email]> namens Andrew Colin Kissa <[hidden email]>
Verzonden: vrijdag 17 oktober 2014 06:34
Aan: Baruwa users list
Onderwerp: [Baruwa] Securing Baruwa aganist POODLE SSLv3 vulnerability

Hi All,

Please refer to our post - http://bit.ly/1sOt64S

- Andrew

_______________________________________________
http://pledgie.com/campaigns/12056
Reply | Threaded
Open this post in threaded view
|

Re: Securing Baruwa aganist POODLE SSLv3 vulnerability

jvangent
In reply to this post by Andrew Colin Kissa
Never mind my pervious message, Ubuntu 12.04 is using openssl 1.0.1, I have compiled 1.0.1j and now it is working.
________________________________________
Van: [hidden email] <[hidden email]> namens Andrew Colin Kissa <[hidden email]>
Verzonden: vrijdag 17 oktober 2014 06:34
Aan: Baruwa users list
Onderwerp: [Baruwa] Securing Baruwa aganist POODLE SSLv3 vulnerability

Hi All,

Please refer to our post - http://bit.ly/1sOt64S

- Andrew

_______________________________________________
http://pledgie.com/campaigns/12056