IPFire 2.15 – Core Update 84 has just been released yesterday, but all the security concerns do not give us even a short moment to breathe. The next Core Update has already been uploading onto the testing tree and we are going to release it as quickly as possible as it comes with even more security fixes for the SSL issue known as POODLE, which was recently discovered.
POODLE (CVE-2014-3566)
As there is no fix for POODLE, the OpenSSL developers applied a workaround called “Signaling Cipher Suite Value” (SCSV) that prevents protocol downgrade attacks (the downgrade dance) on the TLS protocol. More information about this mechanism can be found in the IETF draft and more about POODLE can be found in the POODLE whitepaper.
As a precaution we disabled SSL 3.0 for the web administration interface. Accessing that will require you to use a recent browser and operating system that is able to use TLS 1.0 or a more recent version. We already made some experiences with this as our web and mail servers do not allow to use SSL 3.0 since a couple of weeks and there were absolutely no reports from people who are not able to access our websites.
We are checking if it is feasible to remove support for SSL 3.0 at all with one of the next releases.
As always, please install this testing release and send us feedback, both positive and negative.