Re: [exim] POODLE advisory from exim-announce

On 2014-10-29 at 05:27 +0100, elrippo wrote:
> On Montag, 20. Oktober 2014, 19:39:20 Phil Pennock wrote:
> > So, how have you ruled out that this is a client limitation, with a
> > client which doesn't support TLS?
> >
> > Which clients are you trying to use?

> The Only chiphers that works, is "tls_require_ciphers expands to SECURE256:!VERS-SSL3.0"
> But now i am getting trouble with a client software saying, that it could not negotiate a proper chipher suite.....
>
> "TLS error on connection from android.mywireless [192.168.xxx.xxx] (gnutls_handshake): Could not negotiate a supported cipher suite"

Okay, that gets us a little closer to answering the question which was
asked, which was "which clients are you trying to use".

I think that you're using Android 2.2 or older, so you don't have TLS
support. Thus you can't disable SSLv3 in the servers you care about.
For HTTPS, this is a severe problem, for SMTP it's not (yet).

The announcement message which Tony sent said:
} Nonetheless, this attack is driving a major shift to eliminate the use of
} SSLv3 in all protocols, so we can expect future releases of security
} libraries to drop support. You should probably try to identify problems
} before you have no back-out strategy, by working to eliminate those
} clients and servers which do not support TLS. Exim logs cipher suite
} details by default, so you can check the size of the problem at your site
} by scanning your logs for the string " X=SSL".

With Exim supporting TLS, the only connections which will log X=SSL (in
the absence of an attack) are those for clients which do not support
TLS.

So, by disabling SSLv3 you have successfully identified clients which
do not support TLS and now you can re-enable SSLv3, tackle getting those
clients upgraded/replaced/fixed, before trying again.

Yes, this is horrible. Such is life: _because_ you tried disabling
SSLv3 while you still have the option to go back to it, you are not in
deep trouble with no way out, so things aren't as horrible as they could
be.

At this point, it's no longer an Exim issue: Exim is merely the software
which is helping you identify that you have a problem elsewhere.

When it comes to Android: a mobile always-online device which isn't
getting OS updates with security fixes is a compromised device and a
walking attractive nuisance. It's deeply unfortunate that so many
vendors have gotten away with dumping products on the market without
regard to the lifecycle costs of protecting their customers.

If this hardware is simply too old to be taking new OS images, then it's
time to start planning how to replace it with new hardware which can, or
looking into putting different firmware on the device yourself
(cyanogenmod or whatever the cool people are using these days; I don't
keep track).

If this hardware is less than three years old and not getting OS updates
and security fixes, the blacklist that vendor, don't buy from them
again, and find a vendor who actually support the products which they
sell and work to protect their customers.

-Phil