Is Rebex Secure Mail affected by the "Poodle' vulnerability

+1 vote
asked Oct 22, 2014 by happer (150 points)
edited Jan 7, 2015

Just curious if the Rebex Secure Mail affected by the "Poodle' vulnerability or not?

1 Answer

0 votes
answered Oct 22, 2014 by Tomas Knopp (58,580 points)
edited Oct 23, 2014

Update: We have published a blog post discussing POODLE attack.

POODLE attack is a vulnerability in the legacy SSL 3.0 protocol. All implementations of SSL 3.0 that use ciphers in CBC mode are affected. SSL 3.0 is supported by Rebex FTP/SSL, Rebex Secure Mail (namely IMAP/SSL, POP3/SSL and SMTP/SSL) as well as TlsSocket object, so all of these are potentially vulnerable if SSL 3.0 is used.

Fortunately, newer versions of the SSL protocol are not affected (this means TLS 1.0 or later – confusingly, TLS 1.0 is what was originally supposed to be called SSL 3.1). Also, Rebex components are immune to protocol downgrade attacks, which means that if your server supports TLS 1.0, your applications based on Rebex components are immune to POODLE unless you explicitly disabled TLS 1.0 in the client (or the server). In any case, we recommend disabling SSL 3.0 support in Rebex client components unless you need to connect to legacy servers that only support SSL 3.0.

We have prepared a hotfix build (number 5409) that disables the SSL 3.0 support by default in all affected components. Here is a link to the free trial version of the hotfix. If you are registered customer of Rebex, please contact us via email to get the full version of the hotfix.

For customers who, for some reason, want to stay with an old version of Rebex components, they can disable SSL 3.0 easily themselves:

   var ftp = new Ftp();
   ftp.Settings.SslAllowedVersions = TlsVersion.TLS10 | TlsVersion.TLS11; // do NOT specify TlsVersion.SSL30

(Use equivalent code for other components)

With the hotfix or using the code above it will be impossible to connect to servers that only support SSL 3.0 (or earlier), but there should not be many of those around. TLS 1.0 has been published more than 15 years ago and is widely supported now.

The hotfix will be part of the next release of Rebex components.

...