1 (edited by hawk82 2015-01-31 08:51:38)

Topic: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: CentOS 6.6
- Related log if you're reporting an issue: SSLv3
====

Just as an FYI:

I just stood up a new CentOS 6.6 minimal VM and then installed iRedMail and let it grab all necessary packages via Yum. The iRedMail installer script doesn't turn off SSLv3 on Apache when it installs and configures SSL. I had to manually edit /etc/httpd/conf.d/ssl.conf to turn off SSLv3 to prevent the Poodle attack. Postfix and Dovecot seemed to be already secured against the Poodle attack.

https://disablessl3.com/ for more info.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Do you have 'SSLProtocol all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf?

3 (edited by hawk82 2015-02-01 01:07:39)

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

What I am saying is that the default iRedMail installation script does not disable SSLv3 in the ssl.conf file when it installs Apache, which it should do to protect from the Poodle attack.

4

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Sorry about the confusion. What I am saying is iRedMail has this setting in /etc/httpd/conf/httpd.conf by default.

5

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Well it doesn't work. I checked online here first:
https://www.poodlescan.com/

It said my server was vulnerable. I found the necessary line in the ssl.conf file, edited it, and re-scanned that my server was not vulnerable.

6

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

That's interesting, i have 'SSLProtocols all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf, and don't have it in any other Apache config files, https://www.poodlescan.com/ reports:

* This server does NOT support the SSL v3 protocol.
* This server does NOT support the SSL v2 protocol.

# pwd
/etc/httpd

# grep -r 'SSLProtocol' *
conf/httpd.conf:SSLProtocol all -SSLv2 -SSLv3           # <- just this file
conf.d/ssl.conf:#SSLProtocol all -SSLv2 -SSLv3
conf.d/ssl.conf.2012.05.20.00.49.15:SSLProtocol all -SSLv2
Binary file modules/mod_ssl.so matches

Tested with 2 other online poodle scanners, all report 'not vulnerable to POODLE'.

I see https://www.poodlescan.com/ mentions the scan result will be cached for some minutes, so could you please try again and wait for cache expired?

7

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

ZhangHuangbin wrote:

That's interesting, i have 'SSLProtocols all -SSLv2 -SSLv3' in /etc/httpd/conf/httpd.conf, and don't have it in any other Apache config files, https://www.poodlescan.com/ reports:

* This server does NOT support the SSL v3 protocol.
* This server does NOT support the SSL v2 protocol.

# pwd
/etc/httpd

# grep -r 'SSLProtocol' *
conf/httpd.conf:SSLProtocol all -SSLv2 -SSLv3           # <- just this file
conf.d/ssl.conf:#SSLProtocol all -SSLv2 -SSLv3
conf.d/ssl.conf.2012.05.20.00.49.15:SSLProtocol all -SSLv2
Binary file modules/mod_ssl.so matches

Tested with 2 other online poodle scanners, all report 'not vulnerable to POODLE'.

I see https://www.poodlescan.com/ mentions the scan result will be cached for some minutes, so could you please try again and wait for cache expired?

I'm guessing that because the ssl.conf is loaded later, it overrides the initial one. So again allows SSLv3, just remove the line in ssl.conf to remedy this [if the correct line exists within httpd/apache.conf]

8

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

Looks like it's a bug in iRedMail-0.9.0, it doesn't comment out (or remove) 'SSLProtocol' line in ssl.conf. I will fix it later.
Thanks for your feedback.

9

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

ZhangHuangbin wrote:

Looks like it's a bug in iRedMail-0.9.0, it doesn't comment out (or remove) 'SSLProtocol' line in ssl.conf. I will fix it later.
Thanks for your feedback.

I'd say it's more of a CentOS repository issue, that they ship it with that config, iRedMail shouldn't have to add work arounds for security holes. It is nice that it does though.

10

Re: Apache config w/ iRedMail-0.9.0 still vulnerable to Poodle attack

I double checked Apache config files on RHEL/CentOS 6 and 7, default iRedMail setting should be fine.

In /etc/httpd/conf/httpd.conf, we have below settings:

# Load config files in the "/etc/httpd/conf.d" directory, if any.                  
IncludeOptional conf.d/*.conf                                                      

# Disable SSLv3                                                                                                               
SSLProtocol all -SSLv2 -SSLv3

As you can see, all files under /etc/httpd/conf.d/ will be read before the 'SSLProtocol' line added by iRedMail, so SSLProtocol will be already set 'all -SSLv2 -SSLv3'.