On Thu, Mar 03, 2016 at 11:19:13AM +0100, Johann Klasek wrote: > On Wed, Mar 02, 2016 at 06:01:33PM -0800, Franck Martin via mailop wrote: > > On Wed, Mar 2, 2016 at 5:29 PM, Brandon Long <bl...@google.com> wrote: > > > > > I thought that POODLE required a specific type of fallback that tended to > > > be browser specific (ie, prevent a tls connection, forcing the browser to > > > fall back to a ssl3 connection), do any smtp servers actually do that? > > > > > > > Re-negotiation is part of SSL/TLS I believe, so once STARTTLS is initiated, > > I believe you can create the right conditions to fall back to SSLv3. > > I have observed (maybe commonly known) that even with SSLv2 disabled > (OpenSSL) by appropriate cipherlist settings it is possible to force a fall > back > to weak SSLv2/SSLv3 ciphers. This holds for OpenSSL before 0.9.8zc (where the > downgrade vulnerability has been fixed), see also for 1.x: > > OpenSSL 1.0.1 has TLSFALLBACKSCSV in 1.0.1j and higher. > OpenSSL 1.0.0 has TLSFALLBACKSCSV in 1.0.0o and higher.
Indeed, the Drown Attack paper documents this. https://drownattack.com/drown-attack-paper.pdf "Unfortunately, during our experiments we discovered that OpenSSL servers do not respect the cipher suites advertised in the ServerHello message. That is, the client can select an arbitrary cipher suite in the ClientMasterKey message and force the use of ex- port cipher suites even if they are explicitly disabled in the server configuration. The SSLv2 protocol itself was still enabled by default in the OpenSSL standalone server for the most recent OpenSSL versions prior to our disclosure." And there are some mail software in current use that has to be compiled against a just-released-OpenSSL library to fix them for real. _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
