SSL POODLE / SSLv3 bug

[UFHH01]

The mail client is Mail on iOS 7 and also Mail on the Mac (don't know specific version on Mac).

Anyone else tried secure POP/IMAP after applying the recommended changes?

Hi cmaxwell,

please update your phone and your Mac as well, with the latest cipher suites, because it seems, that both are out-of-date and not updated.

 

[UFHH01]

I'm still having issues after running the scripts to patch everything with NGINX on Port 7081

xxx.xxx.97.234:7081 - Vulnerable! SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA

I've tried modifying the nginx.conf file but still shows vulnerable.

Anyone have any ideas? Pulling my hair on this one.

Hello SpyderZ,

please check, that the suggested work-arounds are really completed ( check the nginx - files "nginxWebmailPartial.php" "server/nginxVhosts.php" "domain/nginxDomainVirtualHost.php" in your directory:

/usr/local/psa/admin/conf/templates/default/
( or if you used custom modifications in /usr/local/psa/admin/conf/templates/custom/ )

... and make sure, that you used the commands:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

service httpd restart
( or service apache2 restart )

service nginx restart

... after your modifications. Please DON'T edit the nginx.conf manually, because these modifications might get overriden ( please see the warning at the beginning of the config - file! ) in the future.

 

[cmaxwell]

Hi cmaxwell,

please update your phone and your Mac as well, with the latest cipher suites, because it seems, that both are out-of-date and not updated.

I have tested with other mail clients (eg Thunderbird 31.2.0, Mail 17.5 on Windows 8) and the problem is the same - mail on port 993 doesn't work after SSLv3 is disabled and the following error is logged in maillog:

Oct 19 07:59:49 nsxxxxxxxx courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Has anyone been able to get mail on port 993 working after implementing the recommended changes to Courier?

 

[UFHH01]

Could you please try to use this command over the command line: openssl s_client -connect localhost:993 -quiet

... and paste the output, to investigate issues/problems?

 

[cmaxwell]

Could you please try to use this command over the command line: openssl s_client -connect localhost:993 -quiet

... and paste the output, to investigate issues/problems?

Thanks for your reply.

Here's the output on our test server:

[root@nsxxxxxxxx ~]# openssl s_client -connect localhost:993 -quiet
depth=0 C = --, ST = France, L = Roubaix, O = OVH, OU = --, CN = nsxxxxxxxx.ip-198-100-147.net, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = --, ST = France, L = Roubaix, O = OVH, OU = --, CN = nsxxxxxxxx.ip-198-100-147.net, emailAddress = [email protected]
verify return:1
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-SHA256 AUTH=PLAIN IDLE ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.

 

[UFHH01]

Please upgrade your certificate as suggested:

First, please backup your existing certificates:

For qmail:

mkdir /root/certbackup
cp /var/qmail/control/servercert.pem /root/certbackup/qmail-servercert.pem
cp /usr/share/imapd.pem /root/certbackup/courier-imapd.pem
cp /usr/share/pop3d.pem /root/certbackup/courier-pop3d.pem


For postfix:

mkdir /root/certbackup
cp /etc/postfix/postfix_default.pem /root/certbackup/postfix_default.pem
cp /usr/share/imapd.pem /root/certbackup/courier-imapd.pem
cp /usr/share/pop3d.pem /root/certbackup/courier-pop3d.pem

Create a new certificate ( in this example for 3 years ):

mkdir /root/certnew
cd /root/certnew
openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -keyout newcert_date.pem -out newcert_date.pem

( You will be asked a few questions... as domain, please use YOURDOMAIN.COM , or your current eMail-server domain-name as defined in your configurations )

Copy the just created certificate to the locations:

For qmail:

cd /root/certnew
cp newcert_date.pem /var/qmail/control/servercert.pem
cp newcert_date.pem /usr/share/imapd.pem
cp newcert_date.pem /usr/share/pop3d.pem


For postfix:

cd /root/certnew
cp newcert_date.pem /etc/postfix/postfix_default.pem
cp newcert_date.pem /usr/share/imapd.pem
cp newcert_date.pem /usr/share/pop3d.pem

Please restart your services:

For qmail:

service qmail restart
service courier-imap restart
or
/etc/init.d/qmail restart
/etc/init.d/courier-imap restart

For postfix:

service postfix restart
service courier-imap restart
or
/etc/init.d/postfix restart
/etc/init.d/courier-imap restart

On some systems, the certificates are located in: /usr/share/courier-imap/ please adjust the above suggestion to this path, if this is the case on your system.


If you experience issues/problems, please provide log-entries and/or error-messages with your post and as well your operating system and your Plesk version ( incl. MU ), so an investigation​

 

[cmaxwell]

@UFHH01 Thanks for your suggestions. We have reissued the certificate but this had no effect - same errors in the log files as follows:

Oct 19 12:56:57 nsXXXXXXX courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

I've tested this on several different servers, all running Plesk 11.5.30 on CentOS 6 or RHEL6.

Has anyone else tested Secure POP/IMAP on port 993 after patching for POODLE?

 

[UFHH01]

Yes, cmaxwell.... I for example have made these changes on 25 servers so far and all was fine...

But back to your issue/problem:

The problem is either a not valid certificate, wrong permissions to the certs, or in some cases I read, that the path to the certificate in the IMAP - configuration just disappeared for unknown reasons, or was changed to the initial path, which is ( on Ubuntu 14.04 ) not the same as it seems to be for others.. Could you please check in your config files (either qmail or courier-imap ), that the patch to your certificates are correct?

courier-imap ( /etc/courier-imap/imapd-ssl ):
TLS_CERTFILE=/usr/share/imapd.pem

qmail ( /var/qmail/control/ ):
/var/qmail/control/servercert.pem > /var/qmail/control/servercert.pem

To avoid any problems, which you might have because of the different locations "/usr/share/" or "/usr/share/courier-imap/" you could as well make a new directory in "/etc/" named "courier-imap" and copy the two pem-files in this folder as well, to be sure, that both locations would work:

mkdir /usr/share/courier-imap
cp /usr/share/imapd.pem /usr/share/courier-imap/imapd.pem
cp /usr/share/pop3d.pem /usr/share/courier-imap/pop3d.pem

If you use dovecot, please be sure to edit the dovecot - config - file at /etc/dovecot/dovecot.conf and make sure, that the path to the just created certificates are correct:

...
ssl_cert = </usr/share/imapd.pem
ssl_key = </usr/share/imapd.pem

local mail.YOURDOMAIN.COM {
  protocol imap {
    ssl_cert = </usr/share/imapd.pem
    ssl_key = </usr/share/imapd.pem
  }

  protocol pop3 {
    ssl_cert = </usr/share/pop3d.pem
    ssl_key = </usr/share/pop3d.pem
  }
}

local imap.YOURDOMAIN.COM { 
   protocol imap {
    ssl_cert = </usr/share/imapd.pem
    ssl_key = </usr/share/imapd.pem
  }

  protocol pop3 {
    ssl_cert = </usr/share/pop3d.pem
    ssl_key = </usr/share/pop3d.pem
  }
}

local pop3.YOURDOMAIN.COM { 
  protocol imap {
    ssl_cert = </usr/share/imapd.pem
    ssl_key = </usr/share/imapd.pem
  }

  protocol pop3 {
    ssl_cert = </usr/share/pop3d.pem
    ssl_key = </usr/share/pop3d.pem
  }
}
...

Again... please choose the "correct" path on your system to either "/usr/share/" or "/usr/share/courier-imap/" !!!

 

[Dutchie]

@borisr, did you manage to patch port 8443?

I also still haven't found out how to patch Qmail port 465.

 

[cmaxwell]

Yes, cmaxwell.... I for example have made these changes on 25 servers so far and all was fine...

Thanks for your response and suggestions. We have checked all file paths, permissions and certificates and all are correct.

The only way we got this to work with mail clients is to modify the TLS_CIPHER_LIST value in /etc/courier-imap/imapd-ssl to the following (as per Bobcares article at http://bobcares.com/blog/protecting...ostfix-apache-nginx-dovecot-and-courier-imap/):

TLS_CIPHER_LIST="-ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA"

If we change TLS_CIPHER_LIST back to the default as per the Parallels KB article (http://kb.odin.com/en/123160) no mail clients can connect to the server and the same error is logged in maillog (
couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher).

Can I ask what value are you using for TLS_CIPHER_LIST on your servers?

Chris

 

[vincenzo.t]

Hello,

I solved this problem simply change this value

TLS_PROTOCOL=SSL23

to

TLS_PROTOCOL=TLS1

After that, the poodls.sh tool let me know that no issue is found and the ricetion of the email works fine.

 

[cmaxwell]

Hello,

I solved this problem simply change this value

TLS_PROTOCOL=SSL23

to

TLS_PROTOCOL=TLS1

After that, the poodls.sh tool let me know that no issue is found and the ricetion of the email works fine.

Unfortunately, that does not fix our issue - we continue to see the following errors in the maillog (and the mail server does not respond on port 143 or 993):

Oct 20 15:14:19 nsxxxxxxxx courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

The only workaround I have found is to adjust the TLS_CIPHER_LIST as per my previous message.

 

[UFHH01]

Thanks for your response and suggestions. We have checked all file paths, permissions and certificates and all are correct.

The only way we got this to work with mail clients is to modify the TLS_CIPHER_LIST value in /etc/courier-imap/imapd-ssl to the following (as per Bobcares article at http://bobcares.com/blog/protecting...ostfix-apache-nginx-dovecot-and-courier-imap/):

TLS_CIPHER_LIST="-ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA"

If we change TLS_CIPHER_LIST back to the default as per the Parallels KB article (http://kb.odin.com/en/123160) no mail clients can connect to the server and the same error is logged in maillog (
couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher).

Can I ask what value are you using for TLS_CIPHER_LIST on your servers?

Chris

For NGINX I use:

    ssl_session_timeout         5m;
    ssl_session_cache shared:SSL:50m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS';
    ssl_prefer_server_ciphers on;

For Apache I use:

    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite EECDH-ECDSA-AESGCM:EECDH-aRSA-AESGCM:EECDH-ECDSA-SHA384:EECDH-ECDSA-SHA256:EECDH-aRSA-SHA384:EECDH-aRSA-SHA256:EECDH-aRSA-RC4:EECDH:EDH-aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS
    SSLHonorCipherOrder on
    SSLCompression off

 

[cmaxwell]

@UFHH01 Thanks - what do you use in your imapd-ssl file for TLS_CIPHER_LIST?

 

[UFHH01]

With the command "openssl ciphers" , you might list all your possible ciphers, you can choose, cmaxwell.

If the suggested cipher -list from Parallels doesn't work for you, you might try the mozilla.org-server-guide suggestion :

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

.. and if all this doesn't help you, you might search for a solution here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566​

 

[SoftCreatR]

Here's my SSL config for nginx (i've patched Plesk nginx in order to be able to use spdy):

ssl_protocols			TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers			FIPS@STRENGTH:!aNULL:!eNULL;
ssl_prefer_server_ciphers	on;
ssl_session_cache		shared:SSL:20m;
ssl_session_timeout		3m;
ssl_buffer_size			1400;
ssl_dhparam			/etc/nginx/ssl/dhparam.pem;

ssl_stapling			on;
ssl_stapling_verify		off;
resolver			8.8.8.8 8.8.4.4 [2001:4860:4860::8844] [2001:4860:4860::8888] valid=86400;
resolver_timeout		5s;

add_header			X-XSS-Protection '1; mode=block';
add_header			X-Content-Type-Options "nosniff";
add_header			Strict-Transport-Security 'max-age=15768000; includeSubDomains; preload';

spdy_headers_comp		0;
spdy_recv_timeout		10;
spdy_keepalive_timeout		125s;

 

[cmaxwell]

We have been in touch with Parallels via ticket and they have confirmed that the suggested ciphers do not work for Courier IMAP. They say that they will be updating the KB article with the correct ciphers.

 

[a_l_e_1972]

Hi all,
after reconfiguring /etc/courier-imap/pop3d-ssl in this way:
SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/run/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=NO
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=1
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOWSTRENGTH"
TLS_CERTFILE=/usr/share/pop3d.pem
TLS_DHPARAMS=/usr/share/dhparams.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/run/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir
POPLOCK_TIME=30
MAXDAEMONS=40
MAXPERIP=4

Restarting services via: /usr/local/psa/admin/sbin/mailmng --restart-service
I obtain:
Service /etc/init.d/courier-pop3s failed to restart
Service /etc/init.d/courier-pop3s failed to restart

without any notice in log file (/var/log/maillog).

How could I investigate why service don't restart? How could I verify TLS_CERTIFICATE and TLS_DHPARAMS validity?

Thank you in advance

 

[cmaxwell]

Hi all,
after reconfiguring /etc/courier-imap/pop3d-ssl in this way:
SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/run/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=NO
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=1
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOWSTRENGTH"
TLS_CERTFILE=/usr/share/pop3d.pem
TLS_DHPARAMS=/usr/share/dhparams.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/run/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir
POPLOCK_TIME=30
MAXDAEMONS=40
MAXPERIP=4

Restarting services via: /usr/local/psa/admin/sbin/mailmng --restart-service
I obtain:
Service /etc/init.d/courier-pop3s failed to restart
Service /etc/init.d/courier-pop3s failed to restart

without any notice in log file (/var/log/maillog).

How could I investigate why service don't restart? How could I verify TLS_CERTIFICATE and TLS_DHPARAMS validity?

Thank you in advance

You would be best to configure the file as per the advice in the KB article - some of those settings won't work. In particular you will need to change the following back to the original setting for the service to start:

POP3DSSLSTART=YES

Without this set as above the service will not start.

 

[cmaxwell]

Hi all,
after reconfiguring /etc/courier-imap/pop3d-ssl in this way:
SSLPORT=995
SSLADDRESS=0
SSLPIDFILE=/var/run/pop3d-ssl.pid
SSLLOGGEROPTS="-name=pop3d-ssl"
POP3DSSLSTART=NO
POP3_STARTTLS=YES
POP3_TLS_REQUIRED=1
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOWSTRENGTH"
TLS_CERTFILE=/usr/share/pop3d.pem
TLS_DHPARAMS=/usr/share/dhparams.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/var/run/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir
POPLOCK_TIME=30
MAXDAEMONS=40
MAXPERIP=4

Restarting services via: /usr/local/psa/admin/sbin/mailmng --restart-service
I obtain:
Service /etc/init.d/courier-pop3s failed to restart
Service /etc/init.d/courier-pop3s failed to restart

without any notice in log file (/var/log/maillog).

How could I investigate why service don't restart? How could I verify TLS_CERTIFICATE and TLS_DHPARAMS validity?

Thank you in advance

Also, once you do get the service running, I would suggest testing extensively to make sure mail clients can connect to the server properly (our experience has been that this doesn't work with the TLS_CIPHER_LIST value as suggested in the Parallels KB).