Search Engine: Elastic

Article ID: 123294, created on Oct 27, 2014, last review on Apr 24, 2016

  • Applies to:
  • Operations Automation 6.0
  • Operations Automation 5.5
  • Operations Automation 5.4

Symptoms

How to close CVE-2014-3566 vulnerability on Qmail server in POA infrastructure?

Cause

SSLv3 cannot be switched off by modifying some configuration file.

Resolution

To disable SSLv3 on Courier IMAP/POP3 service the following request to PA development has been created:

POA-88755

Temporary workaround is to modify initial script for courier-imap:

[root@qmail ~]# diff /etc/init.d/courier-imap /etc/init.d/courier-imap.modif
41c41,44
<       TLS_CERTFILE=$CERT_ROOT/pop3d.pem \
---
>       TLS_CERTFILE=$CERT_ROOT/pop3d.pem  \
>       TLS_PROTOCOL=TLS1 \
>       TLS_STARTTLS_PROTOCOL=TLS1 \
>       TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \
50a54,56
>         TLS_PROTOCOL=TLS1 \
>         TLS_STARTTLS_PROTOCOL=TLS1 \
>         TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \

With this modification SSLv3 connection becomes impossible but TLS1 works:

[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:995
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0

[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:993
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0

Also, please note that there is no exploit for non-browser services like courier-imap or proftpd

Please refer to the following article to disable SSLv3 on other services.

ac82ce33439a9c1feec4ff4f2f638899 caea8340e2d186a540518d08602aa065 e12cea1d47a3125d335d68e6d4e15e07 5356b422f65bdad1c3e9edca5d74a1ae 2554725ed606193dd9bbce21365bed4e 5b048d9bddf8048a00aba7e0bdadef37 956c448bddc7e1f3585373687602379f 6f1456866eed87488c0f02b298a741c0

Email subscription for changes to this article
Save as PDF