Solution
About OpenSSL CVE-2016-2107
You can test if your system is vulnerable using the online tool available at: https://filippo.io/CVE-2016-2107/
The information about the OpenSSL CVE-2016-2107 vulnerability is available at the link: https://www.openssl.org/news/secadv/20160503.txt
Also, a detailed presentation is available at: https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ from which we quote the paragraph below:
"when the connection uses AES-CBC (for example because the server or the client don’t support TLS 1.2 yet) and the server’s processor supports AES-NI, a skilled MitM attacker can recover at least 16 bytes of anything it can get the client to send repeatedly just before attacker-controlled data (like HTTP Cookies, using JavaScript cross-origin requests)."
Our recommendation is to use exclusively TLS1.1 and TLS1.2 at least for the Webmail, IMAP and POP3 listeners.
How to disable AES-NI
The workaround disables the AES-NI support from the OpenSSL library used by Axigen by exporting to the environment the OPENSSL_ia32cap variable with the value indicated below:
export OPENSSL_ia32cap="~0x200000200000000"This line need be added to the Axigen's init script, as below:
- on RPM based Linux distributions add the line to the end of the file:
/etc/sysconfig/axigen - on DEB based Linux distributions, add the line to the end of the file: /etc/default/axigen
- on FreeBSD systems, add the line to the file:
/usr/local/etc/rc.d/axigen.sh
under the other global variables:
#!/bin/sh
# AXIGEN rcscript for BSD systems
# Copyright (c) since 2005, Axigen Messaging
# For any feedback, please contact:
# "AXIGEN Team" <team@axigen.com>
AXIGEN_BIN_DIR="/usr/local/axigen/bin"
AXIGEN_DATA_DIR="/var/axigen"
AXIGEN_ETC_DIR="/usr/local/axigen/etc"
AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
AXIGEN_DAEMON_OPT=""
AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem
export OPENSSL_ia32cap="~0x200000200000000"
- on Solaris systems, add the line to the file:
/etc/init.d/axigen
under the other global variables:
#!/bin/sh
# AXIGEN rcscript for SunOS (Solaris) systems
# Copyright (c) since 2005, Axigen Messaging
# For any feedback, please contact:
# "AXIGEN Team" <team@axigen.com>
AXIGEN_BIN_DIR="/opt/axigen/bin"
AXIGEN_DATA_DIR="/var/opt/axigen"
AXIGEN_ETC_DIR="/etc/opt/axigen"
AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
AXIGEN_DAEMON_OPT=""
AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem
export OPENSSL_ia32cap="~0x200000200000000"
- on Windows systems, set the system environment variable OPENSSL_ia32cap with the value:
~0x200000200000000
from the Environment Variables dialog (System variables) on the Advanced tab of the System Properties.
You can check that the variable was set as below: C:temp>echo %OPENSSL_ia32cap%
~0x200000200000000