How to close CVE-2014-3566 (POODLE) exploit on Qmail server in POA
Original Publishing Date:
2020-01-22
Symptoms
How to close CVE-2014-3566 vulnerability on Qmail server in POA infrastructure?
Cause
SSLv3 cannot be switched off by modifying some configuration file.
Resolution
To disable SSLv3 on Courier IMAP/POP3 service the following request to PA development has been created:
POA-88755
Temporary workaround is to modify initial script for courier-imap:
[root@qmail ~]# diff /etc/init.d/courier-imap /etc/init.d/courier-imap.modif
41c41,44
< TLS_CERTFILE=$CERT_ROOT/pop3d.pem \
---
> TLS_CERTFILE=$CERT_ROOT/pop3d.pem \
> TLS_PROTOCOL=TLS1 \
> TLS_STARTTLS_PROTOCOL=TLS1 \
> TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \
50a54,56
> TLS_PROTOCOL=TLS1 \
> TLS_STARTTLS_PROTOCOL=TLS1 \
> TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS:@STRENGTH" \
With this modification SSLv3 connection becomes impossible but TLS1 works:
[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:995
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
[root@qmail ~]# openssl s_client -tls1 -connect 203.0.113.2:993
CONNECTED(00000003)
depth=2 /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Also, please note that there is no exploit for non-browser services like courier-imap or proftpd
Please refer to the following article to disable SSLv3 on other services.
Internal content
Link on internal Article