Drown Attack

March 2, 2016 The Geek Decoder No Comments Administration

Check your Site at https://drownattack.com/#test

or run the following:

http (replace IP with your server ip)

openssl s_client -connect 192.168.1.1:443 -ssl2

postfix or other email MTA

openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2

Check your version

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL/TLS. You can use the form above to check whether your server appears to be exposed to the attack.

Disabling SSLv2 can be complicated and depends on the specific server software. We provide instructions here for several common products:
OpenSSL: OpenSSL is a cryptographic library used in many server products.

For users of OpenSSL, the easiest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. Users of older OpenSSL versions should upgrade to either one of these versions.

More details can be found in this OpenSSL blog post.

Postfix

add the following to your main.cf config file:

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_protocols = SSLv3, TLSv1, !SSLv2
smtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL

then just do a postfix reload. eg.

# /etc/init.d/postfix reload

to check it’s actually disabled use the following openssl command

openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2

which should give you something like this:

Code:
CONNECTED(00000003)
write:errno=104

as opposed to the SSL3 test

openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl3
CONNECTED(00000003)

....

SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: AB6C68095ADFA60119F4845485D840A62DEB5B519E803510692F1BBCD71199CD
    Session-ID-ctx:
    Master-Key: 8BA2691B5EEEA9AE6752D804F0B0700C0792E7AD6BC6D19416B819EF5014FA80FAC51E124DFFB083C70A547AF522C149
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1292001315
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
220 mail.xxxxxxxxx.net ESMTP Postfix

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.