{"id":3016,"date":"2016-03-02T20:51:16","date_gmt":"2016-03-02T20:51:16","guid":{"rendered":"https:\/\/qbytes.cloud\/?p=3016"},"modified":"2016-03-02T20:51:16","modified_gmt":"2016-03-02T20:51:16","slug":"drown-attack","status":"publish","type":"post","link":"https:\/\/www.qbytes.cloud\/index.php\/2016\/03\/02\/drown-attack\/","title":{"rendered":"Drown Attack"},"content":{"rendered":"<p>Check your Site at https:\/\/drownattack.com\/#test<\/p>\n<p>or run the following:<\/p>\n<p>http (replace IP with your server ip)<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">openssl s_client -connect 192.168.1.1:443 -ssl2\n<\/pre>\n<p>postfix or other email MTA<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2\n<\/pre>\n<p>Check your version<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n# openssl version\nOpenSSL 1.0.1e-fips 11 Feb 2013\n<\/pre>\n<p>To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections. This includes web servers, SMTP servers, IMAP and POP servers, and any other software that supports SSL\/TLS. You can use the form above to check whether your server appears to be exposed to the attack.<\/p>\n<p>Disabling SSLv2 can be complicated and depends on the specific server software. We provide instructions here for several common products:<br \/>\nOpenSSL: OpenSSL is a cryptographic library used in many server products.<\/p>\n<p>For users of OpenSSL, the easiest and recommended solution is to upgrade to a recent OpenSSL version. OpenSSL 1.0.2 users should upgrade to 1.0.2g. OpenSSL 1.0.1 users should upgrade to 1.0.1s. Users of older OpenSSL versions should upgrade to either one of these versions.<\/p>\n<p><a href=\"https:\/\/www.openssl.org\/blog\/blog\/2016\/03\/01\/an-openssl-users-guide-to-drown\/\" target=\"_blank\" rel=\"noopener\">More details can be found in this OpenSSL blog post.<\/a><\/p>\n<p>Postfix<\/p>\n<p>add the following to your main.cf config file:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nsmtpd_tls_security_level = may\nsmtpd_tls_auth_only = yes\nsmtpd_tls_protocols = SSLv3, TLSv1, !SSLv2\nsmtpd_tls_cipherlist = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-eNULL\n\n<\/pre>\n<p>then just do a postfix reload. eg.<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n# \/etc\/init.d\/postfix reload\n\n<\/pre>\n<p>to check it&#8217;s actually disabled use the following openssl command<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nopenssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2\n\n<\/pre>\n<p>which should give you something like this:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\nCode:\nCONNECTED(00000003)\nwrite:errno=104\n\n<\/pre>\n<p>as opposed to the SSL3 test<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl3\nCONNECTED(00000003)\n\n....\n\nSSL-Session:\n    Protocol  : SSLv3\n    Cipher    : DHE-RSA-AES256-SHA\n    Session-ID: AB6C68095ADFA60119F4845485D840A62DEB5B519E803510692F1BBCD71199CD\n    Session-ID-ctx:\n    Master-Key: 8BA2691B5EEEA9AE6752D804F0B0700C0792E7AD6BC6D19416B819EF5014FA80FAC51E124DFFB083C70A547AF522C149\n    Key-Arg   : None\n    Krb5 Principal: None\n    Start Time: 1292001315\n    Timeout   : 7200 (sec)\n    Verify return code: 18 (self signed certificate)\n---\n220 mail.xxxxxxxxx.net ESMTP Postfix\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Check your Site at https:\/\/drownattack.com\/#test or run the following: http (replace IP with your server ip) openssl s_client -connect 192.168.1.1:443 -ssl2 postfix or other email MTA openssl s_client -connect xxxxxxxxxxxxx.com:25 -starttls smtp -ssl2 Check your version # openssl version OpenSSL 1.0.1e-fips 11 Feb 2013 To protect against DROWN, server operators need to ensure that their &#8230; <a title=\"Drown Attack\" class=\"read-more\" href=\"https:\/\/www.qbytes.cloud\/index.php\/2016\/03\/02\/drown-attack\/\" aria-label=\"Read more about Drown Attack\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-3016","post","type-post","status-publish","format-standard","hentry","category-administration"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=3016"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/3016\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=3016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=3016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=3016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}