Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Beast Vulnerability
  •  
jiunnyik

Messages: 36
Karma: 0
Send a private message to this user
Hi,

There is beast vulnerability warning when I run ssl check on Kerio 9.0.2.

Any idea to solve this?

Thank you.
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
I just checked the my own Connect (9.0.2 installed on CentoOS 6) with the ssllabs page (https://www.ssllabs.com/ssltest/index.html) and get an A-rating.

What kind of OS are you using? Are the SSL libs of the OS up-to-date?

Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
Carsten Maas (Kerio)

Messages: 247
Karma: 27
Send a private message to this user
Also check the following page for update instructions, if you are using Linux:
http://bit.ly/20AA0co

Carsten Maas
Senior Technical Marketing Engineer
Kerio Technologies

Kerio Deutschland youtube Channel
http://www.youtube.com/KerioDeutschland
  •  
jiunnyik

Messages: 36
Karma: 0
Send a private message to this user
I'm running on Centos 6, and the OS is updated.

I have A-rating with ssllabs as well.

Result at ssllabs show Beast Vulnerability is not mitigated.

https://knowledge.geotrust.com/support/knowledge-base/index? page=content&id=SO9557&actp=LIST

Geotrust result is different
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
jiunnyik wrote on Wed, 13 April 2016 08:32
There is beast vulnerability warning when I run ssl check on Kerio 9.0.2.
Kerio Connect 9.0.2 is not vulnerable to BEAST. Could you please point me to the SSL test that reports it?

BTW, Kerio Connect does not use system-wide OpenSSL libraries - it uses a patched version installed by its installer instead.
  •  
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
I see what they mean, and it deserves an explanation. BEAST is a browser-side vulnerability that cannot be exploited in current browsers (see e.g. this article published on Qualys blog). Historically most servers attempted to mitigate the problem by prioritizing SSL/TLS ciphersets based on the RC4 stream cipher - but it was later found that the RC4 cipher is weaker than it was previously thought.

In other words: The consensus is that BEAST is not a threat anymore. Attempts to placate vulnerability tests by enabling RC4 would make your servers less secure.
  •  
jiunnyik

Messages: 36
Karma: 0
Send a private message to this user
Lukas,

Thank you for your explanation.

I have much more to learn on this.
Previous Topic: Recent increase in cache rebuilds
Next Topic: Cannot delete event in a Resource calendar
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Oct 20 16:23:40 CEST 2017

Total time taken to generate the page: 0.00433 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.