The POODLE weakness in the SSL protocol (CVE-2014-3566)

This document (7015773) is provided subject to the disclaimer at the end of this document.

Environment


SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
SUSE Cloud
SUSE Linux Enterprise Server 12
SUSE Manager
SUSE Studio

Situation

1. Your immediate action is required.

In short: The POODLE attack to the SSL 3.0 protocol, published last night (https://www.openssl.org/~bodo/ssl-poodle.pdf) requires server and desktop administrators and desktop users to carefully review their security protocol settings in packages such as HTTP Servers (such as Apache, Tomcat), SMTP Servers(such as Postfix), IMAP Servers, ... as well as Web browsers (Firefox, ...) and E-Mail Clients (Evolution, Thunderbird, ...).

More generally: everything which uses the SSL/TLS protocol, needs a review.

Recommended action:
Check for and if needed, change the settings to work with TLS 1.0 as a minimum requirement (details below).

Fortunately, you do not have to install or update any package to mitigate the situation. In the future you may see updates to some packages, to help mitigating this on a lower level than the configuration alone.

Unfortunately, changing the settings on servers and clients can have significant side effects, if some part of your stack really requires the SSL 3.0 protocol.  Carefully check your needs and those of your peers!

2. Settings for some well known packages

Firefox and Thunderbird

In older Firefox Browsers (before 23), there was a menu entry to disable SSLv3 (Preferences-Advanced-Encryption).

For more recent Firefox versions you need to use the detailed configuration. Go to "about:config", search for "security.tls.version.min" and change the value to "1" at least.
The default is "0", see:
http://http://kb.mozillazine.org/Security.tls.version.*
The same steps are needed for Thunderbird.

Apache webserver

Make sure your Apache configuration(s) contains:

        "SSLProtocol all -SSLv2 -SSLv3"
Note: Run the following command to make sure that SSLv3 is disabled:
openssl s_client -connect localhost:443 -ssl3
The result will show which protocols are  in use, either SSLv3 and TLS or just TLS.

Postfix SMTP Server


To enforce TLS for transport of SMTP connections, add this to your configuration:

smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_enforce_tls = yes



Note, with "smtp_enforce_tls = yes" your postfix will not accept any
plaintext connections anymore.
 

Evolution

If your email server supports the STARTTLS (http://en.wikipedia.org/wiki/STARTTLS) feature, we suggest you change configuration on Evolution email client from "SSL" to "TLS". This will force Evolution email client to use STARTTLS over plain SSL. SUSE is currently working on using TLS instead of SSLv3 when "SSL" is chosen in the configuration dialog, for mail servers not supporting STARTTLS.  A respective patch will be available in the future.

apache2-mod_nss

To disable SSL edit the following file:
/etc/apache2/conf.d/mod_nss.conf
and change "NSSProtocol" to "TLSv1.0,TLSv1.1,TLSv1.2" and restart apache?


lighttpd

With SLE11SP3 (HA+SDK) we deliver lighttpd 1.4.20. This version of
lighhtpd does not allow to disable SSL. Please see the work-around
section below.

cyrus-imapd

Cyrus-imap supports SSL and STARTTLS. The configuration needs to be
adjusted by setting:
tls_cipher_list: TLSv1+HIGH:!aNull:@STRENGTH
If this does not work for your environment you can still use the below
mentioned work-around.
Even is the protocol downgrade might be possible, it is still very
likely that the IMAP over SSL protocol is not vulnerable to this kind of
attack.


stunnel

On SLE12 you can enable TLS up to TLS 1.2 by using
    sslVersion = TLSv1 TLSv1.1 TLSv1.2
On SLE11 you can enable TLS up to TLS 1.1 by using the config option:
    sslVersion = TLSv1 TLSv1.1
For earlier version you have to try:
    options = NO_SSLv3
    options = NO_SSLv2



SUSE Manager

SUSE Manager disables SSL by default and only uses TLS.


SMT

SMT uses TLS on the server site.


WebYaST/SLMS

Both services use Nginx which is configured to not allow SSL but only
uses TLS.
Your nginx configuration file should contain:
ssl on;
ssl_protocols TLSv1


SUSE Cloud

If you're running the OpenStack Horizon Dashboard with SSL, consider to change the chef template on your Admin server

/opt/dell/chef/cookbooks/nova_dashboard/templates/suse/nova-dashboard.conf.erb

To include

SSLEngine On
SSLProtocol all -SSLv2 -SSLv3


Upload the cookbook by

knife cookbook upload nova_dashboard -o /opt/dell/chef/cookbooks/

and finally redeploy the "Horizon" Barclamp from the UI to make the change effective. Note this setting is supposed to be the default going forward.

suseRegister/suseConnect

The registration protocol uses SSL (libcurl) and allows SSL as fallback.
Updates for it will be published if appropriate. Is is very unlikely
that the registration process can be exploited using this vulnerability.


Downloading updates

Patches distributed via our CDN provider are secure because SSL was
disabled and packages are signed in addition.


Work-around

If your service does not support to disable SSL it is possible to use
HAproxy to handle the TLS connections and forward the traffic to the
service.

After changing your configuration verify your new setup please.


3. Background

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. An attacker who acts as man-in-the-middle can force to downgrade the SSL/TLS protocol to version 3.0 if the attacked application supports this old SSL version. This legacy protocol is not secure. Depending on the applications, it may be possible for an adversary to mount attacks that can lead to disclosure of secret data such as passwords or HTTP cookies.

This attack is not limited to web-browsers, other services (like VPNs, mail clients, etc) use SSL to secure their traffic as well. Please evaluate your applications and configurations -- on all operating systems.

Resolution


Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7015773
  • Creation Date: 15-Oct-2014
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center