Hello! I noticed that in ISPConfig 3.0.5.4p5, the configuration changes required to mitigate the POODLE attack (see: http://www.howtoforge.com/how-to-secure-your-ispconfig-3-server-against-the-poodle-ssl-attack ) have been made for Dovecot and Postfix, but not for NGINX and pureFTPd. Is there a reason for which the configuration changes recommended in the above-cited article for NGINX and pureFTPd have not been integrated into the default ISPConfig templates in 3.0.5.4p5? In particular, I expected /etc/nginx/nginx.conf to contain the following: Code: http { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; and /usr/sbin/pure-ftpd-wrapper to contain the following: Code: 'TLSCipherSuite' => ['-J %s', \&parse_string], as recommended in the tutorial. P.S. I can't speak to Courier or Dovecot < 2.1, as I have not checked those templates.
The /usr/sbin/pure-ftpd-wrapper is not a config file and its not from ispconfig. This patch has to be included by the debian devs that maintain this package. sslv3 is disabled in nginx in ISPConfig 3.0.5.4p5, this is handled on the vhost level and therefor part of the vhost files and not in nginx.conf. The change in nginx.conf is only required for ispconfig versions < 3.0.5.4p5.
