Poodle, and SSL

After the Poodle SSL vulnerability was discovered many people started looking through their servers to discover things that need updates. One of the more unfortunate findings comes with CentOS, and RHEL 5 instances that use Exim. The options that allow you disable SSLv3 are directly tied to a build of Exim that doesn’t exist in base channels. While it’s possible to compile those in, or to install from a source that includes them it’s a better idea to upgrade the OS to EL6, or to switch to Postfix, which does have options.

To see which options are available on an EL6 instance:


If you run the same command on a EL5 instance, you will get:

This means that OpenSSL has no available ciphers list and unless you can disable SSLv3 directly as an option, limiting it via ciphers won’t work.

There’s a lot of guides on the internet that reference openssl_options, but that’s not possible in the base Exim.

Usually I’d leave this note with a workaround or guide, but in this case I just hope to save anyone the confusion of trying to figure out what is going on.