SurgeMail Archive: RE: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed

Subject:	RE: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed
From:	Frank Bulk
Date:	09-Apr-2014
Chris, When do you think you’ll have a fix for the Apple issue? Our helpdesk has been very busy… Frank From: surgemail-support [mailto:surgemail-support@netwinsite.com] Sent: Wednesday, April 09, 2014 5:06 PM To: surgemail-list@netwinsite.com Subject: re: Re: [SurgeMail List] CVE-2014-0160 a. k. a.Heartbleed Hmmm, I don't get the logic of 'turning off ssl2' to increase security, so then a client that can only use ssl2 has to use plain text, which is definitely not as secure as ssl2.... :-) But anyway, it's a bit accademic as old clients that require ssl2 probably hardly exist anymore. This setting will help with your score... (restart surgemail after changing) G_SSL_DISABLE_SSLV2 "TRUE" Once we have the new builds stable then an upgrade and some more setting will get you a higher rating. I suggest you wait until next week if you don't have an immediate problem. ChrisP. When I run: https://www.ssllabs.com/ssltest/index.html on my SurgeMail server it gets an F grade. It is running on a Windows server box and only Surgemail uses port 443 or SSL. SurgeMail Version 6.5a-1, Built Sep 9 2013 12:52:22, Platform Windows (Surgeweb Enabled) In particular, the test notes that: * This server is not vulnerable to the Heartbleed attack. (Yay!) * This server supports SSL 2, which is obsolete and insecure. Grade set to F. (Boo!) * The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B. (Boo!) Is there any way to harden SurgeMail to raise these ratings? A Surgemail.ini setting or two? Or does in need a new build? Thanks Neil -- Neil Herber

Last Message | Next Message


Search website: