I have recently inherited the administration of the our Securemail applainces and just have a few questions. If you could help me answer them that would be great.
We are running Email Gateway 7.5.4 h960401. I am required to install the Poodle hot fix. I have been doing some research and came accross the document written by Ryan Brady about disabling SSL v3 for the MEG. I checked the configuration of my Securemail for forbidden protocols and it shows that I need to add <Attr name ="1" value=SSLv3"/>. The current config set up is below.
-<List name="ForbiddenProtocols" type="nstr">
<Attr name="0" value="SSLv2"/>
I ran the code on the machine to determine if i am vulnerable
export hostname=XXXXXXXif echo Q | openssl s_client -connect $(hostname):443 -ssl3 2> /dev/null | grep -v "Cipher.*0000"; then echo "SSLv3 enabled"; else echo "SSLv3 disabled"; fi
and it showed the following. As u can see it shows my cert when I run it on 10443 (admin port) and says that sslv3 is enabled . But also shows thats ssl v3 is disabled for 443. As im new to all this, should it be disabled for port 10443 as we use that for email quarantine notifications.
On my secondary appliance I have installed the poodle hot fix. I went into TLS advanced options and set TLS enforcement.
I checked the config of the secondary securemail appliance and determined sslv3 was disabled.
I also ran the commands on the appliance and I got the following. Notes the cert details are not shown when run on 10443 but says sslv3 is still enabled.sslv3 also shows as disabled for port 443
So my questions are:
Should I be checking port 10443 as I am using it for quarantine notifications? Why is it still showing as enabled for the secondary applaince?
Am I now patched for poodle on the secondary appliance?
Sorry for the basic questions. Im new to all of this.
In answer to your questions, given the hotfix installed and the details of the settings, SSLv3 is not disabled on your appliance. SSLv3 is, itself, not the source of the POODLE vulnerability, although many of the ciphers it allows are. The real source comes from block-based ciphers present in and used as part of SSLv3. As such, the KB indicates that you can disable all but RC4, and that would help somewhat. That said, the POODLE hotfix for MEG 7.5.4 is hotfix 1014806, and it was released to world on the 29th of October. I would recommend getting that installed ASAP if you haven't done so already.
You can use: Qualys SSL Labs - Projects / SSL Server Test to test ssl setups. Ofcourse , regarding the output, it's always good to verify on your environment if it's correct but it can give a quick, good indication of what might be wrong in your ssl setup.
This was a useful site a platinum engineer suggested once and i've had much less issues with SSL ever since