Mitigating Poodle SSLv3 vulnerability

New vulneranility was announced in archaic SSLv3 protocol. You can defend your server by disabling usage of SSLv3 protocol. But take in mind that according to rumors Windows XP with IE6 still use it to, so basically disabling SSLv3 means cutting off old WinXP users from your services

On the bottom of page you can also find tips to disable SSLv3 in Firefox and Chrome

 

Disabling SSLv3

apache

Add/modify line in /etc/httpd/conf.d/ssl.conf so it looks like this:

SSLProtocol all -SSLv2 -SSLv3

restart apache:

service httpd restart

postfix

Add to file /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

restart postfix

service postfix restart

dovecot  before v2.1

to get dovecot version use:

[root@vps dovecot]# dovecot --version
2.0.9

File /etc/dovecot/conf.d/10-ssl.conf
add/modify line

ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3

dovecot v 2.1 and newer

File /etc/dovecot/dovecot.conf add/modify line :

ssl_protocols = !SSLv2 !SSLv3

restart dovecot:

service dovecot restart

 

 Firefox

in URL line, type about:config, search for security.tls.version.min and set value to 1

 

Chrome

Unlike in FF you can't set it permanantly somewhere in configuration, so you have to start Chrome everytime with parameter –ssl-version-min=tls1

Heartbleed can be exploited to steal private keys – CONFIRMED!

New interesting info was released regarding Heartbleed OpenSSL vulnerability. Company cloudflare (cloudflare.com) announced a competition on April 11th to find out if private SSL keys can be stolen from vulnerable server using Heartbleed vulnerability. And truly until April 12th, 4 independent researchers proved that they were able to steal private key from vulnerable server.
This is final evidence, that at some circumstances, Heartbleed vulnerability can be abused to get private keys from server.

More info here and my original Heartbleed post here

OpenSSL heartbleed bug

New vulnerability in widely used OpenSSL was detected. Vulnerability is know as Heartbleed bug. OpenSSL 1.0.1 before 1.0.1g are vulnerable. Thanks to good work of people in RedHat (special thank you goes to Tomas Mraz, Senior programmer in RedHat) and CentOS community, quick workaround was published for commonly used OpenSSL 1.0.1e. We are looking forward for release of OpenSSL 1.0.1g.

Don't hesitate to patch your servers….