Dovecot version in precise too old to switch off SSLv3 protocol for "poodle" fix

Here is the patch from the mailing list([3] in original post)

The attachment "disable SSLv3 in dovecot" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Status changed to 'Confirmed' because the bug affects multiple users.

I had a quick discussion with mdeslaur (security team) on #ubuntu-hardened.

He's not prepared to push changes which just turn SSLv3 off, since that would break clients. But he is prepared to sponsor security patches that add it as an option, so that users can opt to turn SSLv3 off after they've got the security update.

According to https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list config option. Is that not correct?

On 10/20/2014 11:18 AM, Roger Cornelius wrote:
> According to https://www.digitalocean.com/community/tutorials/how-to-
> protect-your-server-against-the-poodle-sslv3-vulnerability, SSLv3 can
> be switched off in 2.0.19 by adding "!SSLv3" to the ssl_cipher_list
> config option. Is that not correct?

Doing so will drop support for TLS 1.0 and 1.1 too (leaving 1.2 only).
This is explained by the fact that all the ciphers defined by SSLv3 are
also shared by TLS 1.0 and 1.1 so removing them only leaves those added
by TLS 1.2.

$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL' | wc -l
77
$ openssl ciphers -v 'ALL:!LOW:!SSLv2:!EXP:!aNULL:!SSLv3' | wc -l
28

This is generally not advisable because many email clients do not
support TLS 1.2. The article should be fixed.

Simon

It is not correct. Adding !SSLv3 to the cipher list removes the set of *ciphers* specified in the SSLv3 cipher suite [1], which would also disable ciphers listed in other suites. It has no effect on the *protocols* used.

[1] http://www.openssl.org/docs/apps/ciphers.html

Thanks for the clarification.

So basicaly the following commit has to be backported to the 2.0 Version. http://hg.dovecot.org/dovecot-2.1/rev/406a1d52390b

I created a patch for 2.0.19 and tried it on our staging systems. This worked quite well for ous.

Made a quick patch for this package, tested it in following way:

* Install package
* Start dovecot
* Connect with: openssl s_client -connect -ssl3 localhost:995

Getting error that I can't connect on SSLv3, assumed this resolved the issue.

Hello Benjamin, or anyone else affected,

Accepted dovecot into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/dovecot/1:2.0.19-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

How will this be dealt with in lucid, please? I guess POODLE isn't really that much of an issue for an IMAPS or POP3S session since there is no Javascript involved or am I mistaken?

The verification of the Stable Release Update for dovecot has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package dovecot - 1:2.0.19-0ubuntu2.2

---------------
dovecot (1:2.0.19-0ubuntu2.2) precise; urgency=medium

  * Backport support for the ssl_protocols setting to easily allow
    disabling SSLv3. (LP: #1381537)
    - debian/patches/backport_ssl_protocols.patch: added new setting to
      src/login-common/login-settings.c, src/login-common/login-settings.h,
      src/login-common/ssl-proxy-openssl.c, src/config/all-settings.c.
 -- Marc Deslauriers <email address hidden> Mon, 27 Oct 2014 12:46:22 -0400

Dovecot uses Unix password authentication by default. If those passwords leak, they can be used to ssh in and perhaps even for sudo.

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

OK, I hate to be so stupid, but I need some help and can't seem to locate anyone knowledgeable so far:

In 10-ssl.conf I added: ssl_protocols = !SSLv2 !SSLv3 (to no avail so i think I am not patched)

Would appreciate some helpful comments / guidance please...

I did a fresh install of 12.04.5 on another machine, thinking that there had been a patch for dovecot, but I am still getting this error, so I assume it is not patched in 12.04.5 ? Or how do I get the patch installed?

This accepts the login: `openssl s_client -connect localhost:993 -ssl3`

This gives an error: `openssl s_client -connect localhost:465 -ssl3` "139852816377504:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:59"

This too gives an error: `openssl s_client -connect localhost:25 -ssl3` "140205816501920:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339"

So if I go to a poodle website and check, they return OK for Poodle EXCEPT for 993 port, do you know what I am doing wrong?

BTW, these are the exact results from my long running 12.04.4 ubuntu, and we need to stay on 12.04 for now.

Throw me a bone, please - give me some detailed instructions of how I can fix this, thank you. My goal is to have port 25, 587, 465, 993, etc all !SSLv3 compliant.

Thank you

Port 25 is probably handled by postfix, exim, or sendmail, not dovecot. In any event, you can't simply connect directly to SMTP with TLS; SMTP requires using the STARTTLS command to upgrade a connection to TLS.

I suspect you'll find similar issues with your other ports; I don't know the details of those off-hand as well as SMTP, so I'll just ask how confident you are that your test case accurately reflects the protocols you're trying to test.

Thanks