Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Version with SSLv3 disabled by default
  •  
ASovijarvi

Messages: 9
Karma: 1
Send a private message to this user
Is there a planned version of Kerio Connect that has SSLv3 disabled by default?
Also, are there instructions how to disable SSLv3 on Kerio products?
  •  
Pavel Dobry (Kerio)

Messages: 5222
Karma: 251
Send a private message to this user
In Kerio Connect 8.2.0 and higher following workaround can be applied:
1. Stop Kerio Connect server.
2. Edit the mailserver.cfg file and change "DisableTLSv1" configuration value to "1" and "DisableTLSv12InSMTPClient" to "0".
3. Start Kerio Connect server.

Please note that this option disables both SSL 3.0 and TLS 1.0 protocols. This may cause compatibility problem with email and groupware clients or internet browsers with no support for TLS 1.1 or TLS 1.2.

[Updated on: Wed, 15 October 2014 11:43]

  •  
Götz

Messages: 5
Karma: 0
Send a private message to this user
Unfortunatley a huge number of clients only support TLS 1.0, not 1.1 or 1.2. Therefore I hope there will be another solution for Kerio Connect that allows to switch off just SSL v3.

Keywords: Poodle
  •  
Pavel Dobry (Kerio)

Messages: 5222
Karma: 251
Send a private message to this user
Poodle is not a problem. SSL 3.0 and TLS 1.0 are by design vulnerable to BEAST anyway. Switching to TLS 1.1 and 1.2 is the only protection against both vulnerabilities.
  •  
Grabsteinschubser

Messages: 64
Karma: 4
Send a private message to this user
Don't turn off SSLv3 if your users use Outlook 2011 for Mac. They cannot connect to Kerio anymore (EWS).
  •  
Götz

Messages: 5
Karma: 0
Send a private message to this user
Grabsteinschubser wrote on Wed, 15 October 2014 16:12
Don't turn off SSLv3 if your users use Outlook 2011 for Mac. They cannot connect to Kerio anymore (EWS).


Did you check that this is for sure because of SSL v3? If the workaround above switches off TLS 1.0 too, then it also could be because of that.

Many MS products don't support TLS 1.1 or 1.2 until manually switched on.

Regards
Götz
  •  
Grabsteinschubser

Messages: 64
Karma: 4
Send a private message to this user
Sorry, my fault.

Don't turn off SSLv3/TLS1.0 if ...

Now it is right. I did not check what deprecated method Outlook for Mac is using.
  •  
graeme

Messages: 34
Karma: 0
Send a private message to this user
Is the EWS part 100%. 1/8 out of clients have 2-3 Macs. If you disable can you change setting locally?
  •  
Götz

Messages: 5
Karma: 0
Send a private message to this user
Just to be sure: there will be no solution to switch off SSL v3? From all what I read this problem with Poodle is different from BEAST, see ht t ps : //www.openssl.org/~bodo/ssl-poodle.pdf (I was not allowed to post links, so I had to destroy it - rather stupid rule, IMHO).

[Updated on: Thu, 16 October 2014 17:09]

  •  
Pavel Dobry (Kerio)

Messages: 5222
Karma: 251
Send a private message to this user
There will be such an option. Please note that disabling SSLv3 cuts off all clients and browsers with no TLS support (eg. MS IE 6 etc.).
  •  
Götz

Messages: 5
Karma: 0
Send a private message to this user
Pavel Dobry (Kerio) wrote on Thu, 16 October 2014 17:21
There will be such an option. Please note that disabling SSLv3 cuts off all clients and browsers with no TLS support (eg. MS IE 6 etc.).


Thanks for pointing out (explicit is better than implicit), but that's known and not a problem for us.
  •  
Julian

Messages: 2
Karma: -1
Send a private message to this user
Pavel Dobry (Kerio) wrote on Thu, 16 October 2014 17:21
There will be such an option. Please note that disabling SSLv3 cuts off all clients and browsers with no TLS support (eg. MS IE 6 etc.).

When is this expected?

We like to disable SSL3, without killing TLS 1.0
  •  
MacLab

Messages: 213
Karma: 15
Send a private message to this user
Can anyone verify whether Mac Outlook 2011 using EWS needs SSLv3? If it is turned off is this going to be a problem?

MacLab, Inc.
Kerio Certified Partner, Reseller, Hosting Provider, Kerio Connect Certified.
http://maclaboratory.com
Grabsteinschubser

Messages: 64
Karma: 4
Send a private message to this user
We are running Outlook 2011 with SSLv3 disabled in Kerio. I can not notice any problem yet.
Previous Topic: Email "sent on behalf of" without delegation permission
Next Topic: kerio connect problem send mail to yahoo
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Apr 23 23:36:17 CEST 2017

Total time taken to generate the page: 0.00530 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.