OpenSSL CVE-2016-0800 a.k.a. "Drown"

jimp

tl;dr version: Drown attacks SSLv2, we have disabled SSLv2 for the GUI since April 2011 (Nearly 5 years ago). Nothing to get excited about with respect to the firewall.

See also: https://www.openssl.org/news/secadv/20160301.txt

It may be possible to configure a package in a vulnerable way (Apache+mod_security, Squid reverse proxy, haproxy), but odds are if you fixed your config for POODLE by disabling SSLv3 you probably already disabled SSLv2 back then.

Still it's a good time to check other SSL-enabled services like SMTP and POP3/IMAP to make sure you have SSLv2 and SSLv3 disabled there as well.

There are some other OpenSSL issues in the advisory but none of them appear to affect us in a significant way. Still not likely to require a pfSense 2.2.7 with 2.3 so close, but it's still being discussed.

KOM

Any thoughts of dumping OpenSSL for LibreSSL?

jimp

None at all that I'm aware of. So far their track record hasn't been inspiring. Sounds good on paper, but practically it's not as big an advantage as some would like you to believe.

2chemlud

"Why does your tool say I support SSLv2, but nmap says I don't?

Due to CVE-2015-3197, OpenSSL may still accept SSLv2 connections even if all SSLv2 ciphers are disabled."

https://drownattack.com/#faq-pfs

…just saying

And btw, I guess many are not going to switch directly to 2.3, even if available, but stick to 2.2.X for production

pgb

My default installation of Squid Reverse Proxy is vulnerable. How can I disable SSLv2 and SSLv3? I haven't found a way in the UI.

jimp

Try posting that in a message on the Cache/Proxy board, you'll have better luck there. There is likely an advanced configuration directive you need to use.