The mx servers responsible for @gentoo.org allow connections with SSLv2. Also there is an HTTPS server allowing SSLv2 on 140.211.166.183. This makes Gentoo vulnerable to the DROWN attack. The important thing with DROWN is that it even allows attacking unrelated other services as long as they share the certificate and private key. Please disable SSLv2 everywhere. (And it's probably best to disable SSLv3 as well, although it's not yet as completely broken and dangerous as SSLv2.) See: https://test.drownattack.com/?site=gentoo.org
I disabled it on the mail server at least.
Configuration side is resolved now. Certificates that need rotating: dev.gentoo.org SMTP / Postfix dev.gentoo.org IMAP / Dovecot [1] dev.gentoo.org HTTPS / Apache [non-cfengine box, done now, was missing some other updates] lists.gentoo.org SMTP / Postfix finch.gentoo.org SMTP / Postfix [2] [1] You didn't include the IMAP server in your list, but it was also affected. [2] Not in your list, but also affected. [3] non-cfengine box, done now, was missing some other updates
There isn't really a need to rotate certificates. The attack only allows decrypting recorded TLS traffic, but it does not allow to compromise certificates.
(In reply to Hanno Boeck from comment #3) > There isn't really a need to rotate certificates. The attack only allows > decrypting recorded TLS traffic, but it does not allow to compromise > certificates. The SMTP+IMAP certs are also expired ;-), and the dev.g.o HTTPS one needs a reissue for a SHA1 intermediate.
All rekeys completed.