Poodlebleed bug

[cmdman]

hi mr..

how can we disable ssl3  in mr panel .. to fix for Poodlebleed bug.

[MRatWork]

In Kloxo-MR 7, ssl for web set with disable SSL2 and SSL3 (that mean only TLS1.0+ enabled).

[cmdman]

mr iam taking abt 6 as 7 is still beta we cont use on live

[MRatWork]

Google, Yahoo and microsoft still using SSL3!.

[Spacedust]

What about Qmail ? We disabled TLS and now we are on SSL only !

[fossxplorer]

Indeed! SSLv3 is available on port 465

What about Qmail ? We disabled TLS and now we are on SSL only !

[MRatWork]

For qmail, use 'starttls' in 'Authentication'.

[chrisf]

I have already set all of my *-ssl /var/qmail/supervise run files to ssl=0 forcetls=1

Plus, pop3-ssl/run was missing all the export options.

[Spacedust]

For qmail, use 'starttls' in 'Authentication'.

We've disabled this by adding exhaustivelist in /var/qmail/control/tlshosts

[Spacedust]

Here's how to protect Apache and nginx:

    nignx

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    Apache

    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

[MRatWork]

Here's how to protect Apache and nginx:

    nignx

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    Apache

    SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

All web configs already disable SSL2 and SSL3 in latest version of Kloxo-MR 7.

[chrisf]

Mustafa, forcing tls in the run files is the easiest approach, I need to know how you are going to implement this so on qmail update we are all on the same 'idea'.

[MRatWork]

Mustafa, forcing tls in the run files is the easiest approach, I need to know how you are going to implement this so on qmail update we are all on the same 'idea'.

I have no idea to force to use tls protocol only for ssl connection.

[chrisf]

I will post the changes needed by end of day, you can investigate

[chrisf]

Changes #1:
/etc/courier/pop3d-ssl
/etc/courier/imapd-ssl

Find

Code: [Select]

TLS_PROTOCOL=SSL23

Change to:

Code: [Select]

TLS_PROTOCOL=TLS1

Now for the run files.......