Re: [exim] Issue on Exim 4.72 SSL 3 and POODLE

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Ted Cooper
Date:  
À: exim-users
Sujet: Re: [exim] Issue on Exim 4.72 SSL 3 and POODLE
On 04/02/16 21:24, Marco Ocisp wrote:
> Hi,I AM using Webuzo panel who is running Exim 4.72 who seems to be vulnerable to POODLE attack and SSL 3.
> I cannot update Exim from SSH because will be incompatibile with the panel so I must wait a fix from the panel Staff who are taking very long time and have issue on integrating Exim.
> In my exim.confI have
> tls_require_ciphers = HIGH:MEDIUM:+TLSv1.2:!SSLv2
> if I add :!SSLv3
> save and restart outgoing email from Thunderbord and smartphone not work.If I remove the :!SSLv3 final works but there are vulnerability.
> If just disable SSlv3 this is ignored as seems in Exim 4.72 I can't disable SSL 3.
> In the time I wait a fix from softaculouscan I do something to fix the issue of SSL 3 and POODLE attack?
> I AM on CentOs
> Thanks.


There might not be a concern on this front. POODLE is a web based attack
and is most likely not viable on email protocols.

There was an announcement regarding this back in Oct 2014:

https://lists.exim.org/lurker/message/20141017.093614.e5c38176.en.html

I agree with Jeremy though - there should be a more up to date hosting
provider out there.