How to Apply a Workaround for the OpenSSL CVE-2016-2107 Vulnerability

About OpenSSL CVE-2016-2107

You can test if your system is vulnerable using the online tool available at: https://filippo.io/CVE-2016-2107/

The information about the OpenSSL CVE-2016-2107 vulnerability is available at the link: https://www.openssl.org/news/secadv/20160503.txt

Also, a detailed presentation is available at: https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/ from which we quote the paragraph below:

"when the connection uses AES-CBC (for example because the server or the client don’t support TLS 1.2 yet) and the server’s processor supports AES-NI, a skilled MitM attacker can recover at least 16 bytes of anything it can get the client to send repeatedly just before attacker-controlled data (like HTTP Cookies, using JavaScript cross-origin requests)."

Our recommendation is to use exclusively TLS1.1 and TLS1.2 at least for the Webmail, IMAP and POP3 listeners.

How to disable AES-NI

The workaround disables the AES-NI support from the OpenSSL library used by Axigen by exporting to the environment the OPENSSL_ia32cap variable with the value indicated below:

This line need be added to the Axigen's init script, as below:

• on RPM based Linux distributions add the line to the end of the file:
  /etc/sysconfig/axigen
• on DEB based Linux distributions, add the line to the end of the file: /etc/default/axigen
• on FreeBSD systems, add the line to the file: /usr/local/etc/rc.d/axigen.sh under the other global variables: #!/bin/sh
  # AXIGEN rcscript for BSD systems
  # Copyright (c) since 2005, Axigen Messaging
  
  # For any feedback, please contact:
  # "AXIGEN Team" <team@axigen.com>
  
  AXIGEN_BIN_DIR="/usr/local/axigen/bin"
  AXIGEN_DATA_DIR="/var/axigen"
  AXIGEN_ETC_DIR="/usr/local/axigen/etc"
  AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
  AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
  AXIGEN_DAEMON_OPT=""
  AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
  AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem
  
  export OPENSSL_ia32cap="~0x200000200000000"
  
• on Solaris systems, add the line to the file: /etc/init.d/axigen under the other global variables: #!/bin/sh
  # AXIGEN rcscript for SunOS (Solaris) systems
  # Copyright (c) since 2005, Axigen Messaging
  # For any feedback, please contact:
  # "AXIGEN Team" <team@axigen.com>
  
  AXIGEN_BIN_DIR="/opt/axigen/bin"
  AXIGEN_DATA_DIR="/var/opt/axigen"
  AXIGEN_ETC_DIR="/etc/opt/axigen"
  AXIGEN_DAEMON_BIN="${AXIGEN_BIN_DIR}/axigen"
  AXIGEN_PID_FILE="${AXIGEN_DATA_DIR}/run/axigen.pid"
  AXIGEN_DAEMON_OPT=""
  AXIGEN_SSL_CERT=${AXIGEN_DATA_DIR}/axigen_cert.pem
  AXIGEN_SSL_DH=${AXIGEN_DATA_DIR}/axigen_dh.pem
  
  export OPENSSL_ia32cap="~0x200000200000000"
  
• on Windows systems, set the system environment variable OPENSSL_ia32cap with the value: ~0x200000200000000 from the Environment Variables dialog (System variables) on the Advanced tab of the System Properties.
  
  You can check that the variable was set as below: C:temp>echo %OPENSSL_ia32cap%
  ~0x200000200000000