OpenSSL CVE-2016-0800 a.k.a. "Drown"
-
tl;dr version: Drown attacks SSLv2, we have disabled SSLv2 for the GUI since April 2011 (Nearly 5 years ago). Nothing to get excited about with respect to the firewall.
See also: https://www.openssl.org/news/secadv/20160301.txt
It may be possible to configure a package in a vulnerable way (Apache+mod_security, Squid reverse proxy, haproxy), but odds are if you fixed your config for POODLE by disabling SSLv3 you probably already disabled SSLv2 back then.
Still it's a good time to check other SSL-enabled services like SMTP and POP3/IMAP to make sure you have SSLv2 and SSLv3 disabled there as well.
There are some other OpenSSL issues in the advisory but none of them appear to affect us in a significant way. Still not likely to require a pfSense 2.2.7 with 2.3 so close, but it's still being discussed.
-
Any thoughts of dumping OpenSSL for LibreSSL?
-
None at all that I'm aware of. So far their track record hasn't been inspiring. Sounds good on paper, but practically it's not as big an advantage as some would like you to believe.
-
"Why does your tool say I support SSLv2, but nmap says I don't?
Due to CVE-2015-3197, OpenSSL may still accept SSLv2 connections even if all SSLv2 ciphers are disabled."
https://drownattack.com/#faq-pfs
…just saying
And btw, I guess many are not going to switch directly to 2.3, even if available, but stick to 2.2.X for production
-
My default installation of Squid Reverse Proxy is vulnerable. How can I disable SSLv2 and SSLv3? I haven't found a way in the UI.
-
Try posting that in a message on the Cache/Proxy board, you'll have better luck there. There is likely an advanced configuration directive you need to use.
