SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
Mod Edit: Updated Response to Customers Posted Click Here
[HR][/HR]
I received an email from HostingSecList today:
SSL v3
Rumoured Vulnerability
According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.
Ongoing Discussion via WHT:
[url=http://www.webhostingtalk.com/showthread.php?t=1420329]New SSL Vulnerability? - Vulnerabilities - Web Hosting Talk
More information will be sent out via HSL once the vulnerability is released tomorrow and we urge everyone to stay alert and be ready to patch whatever necessary.
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
-
It's now disclosed; [url=http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html]Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback 0 -
Proposed Fix (after investigating several sources) ======== SSLv3 gets disabled by adding this to WHM " Service Configuration " Apache Configuration " Include Editor " Pre Main Include Code: SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+ SSLHonorCipherOrder on This will work with Apache and also LiteSpeed, if you have this installed on your server. Update: Indications are if running Litespeed, needs latest applied, 4.2.17 or newer. Tests [url=http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm]Test your web server for SSLv2 0 -
This will break Internet Explorer v6 clients from connecting via SSL (not that I'm complaining about making IE6 users go away!) Just making sure everyone is aware of that. Google is not suggesting that we disable SSLv3 completely just yet: Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
and on another site, they write: As a server operator, it is possible to stop this attack by disabling SSLv3, or by disabling CBC-mode ciphers in SSLv3. However, the compatibility impact of this is unclear. Certainly, disabling SSLv3 completely is likely to break IE6. Some sites will be happy doing that, some will not.
Again, just making sure everyone is on the same page with regards to disabling SSLv3 via the suggested methods. - Scott0 -
We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected? 0 -
]We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
Yes they are - and any SSL used by FTP, and Exim (465 and 587). Each of those comes with settings you can use to change the SSLCipherSuite, but I can't see (documented) any ways to change the SSLProtocol value for those processes.0 -
]Yes they are - and any SSL used by FTP, and Exim (465 and 587). Each of those comes with settings you can use to change the SSLCipherSuite, but I can't see (documented) any ways to change the SSLProtocol value for those processes.
There is rumour that Firefox does not support TLS on any port that is not 443, any confirmations about that? Yes, i also think that that guy has some misconfiguration ( why thread ) and yes, it needs to be tested first.0 -
I found few tools to test ciphers / protocols on all ports: [url=http://superuser.com/questions/109213/is-there-a-tool-that-can-test-what-ssl-tls-cipher-suites-a-particular-website-of]Is there a tool that can test what SSL/TLS cipher suites a particular website offers? - Super User 0 -
Here is much simpler tester as suggested by jamesoakley on some other forum... This one SHOULD NOT work: echo -n | openssl s_client -ssl3 -connect fqdn.server.com:port
This one MUST work:echo -n | openssl s_client -tls1 -connect fqdn.server.com:port
0 -
]There is rumour that Firefox does not support TLS on any port that is not 443, any confirmations about that?
That is correct. FireFox cannot access cPanel, WHM or webmail secure ports when SSLv3 is disabled at WHM "Service Configuration "cPanel Web Services Configuration0 -
]We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)0 -
]To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
If you do that then all Firefox users will lose access to their cPanel control panels.0 -
]To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
But also, if you do that, you lose TLS1.0 and TLS1.1 as well, which knocks out lots of browsers (that, even on port 443, rely on those protocols). To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.0 -
]To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
This is the conclusion I also drew. You can disable SSLv3 (and SSLv2) protocols with dovecot, by editing the file /etc/dovecot/dovecot.conf and adding:ssl_protocols = !SSLv2 !SSLv3
above the ssl_cipher_list line. That seems to disable SSLv3 for dovecot. But the other services you mentioned, cPanel and Exim, the only configurable option seems to be do disable SSLv3 ciphers, which also disables TLS ciphers. I would also add, that if you manually edit the /etc/dovecot/dovecot.conf file and then make changes to the dovecot configuration in your WHM, then these manual changes will likely be lost.0 -
]But also, if you do that, you lose TLS1.0 and TLS1.1 as well, which knocks out lots of browsers (that, even on port 443, rely on those protocols). To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
yeah I experienced the same when I tried that. This thread has a list of other web apps for disabling SSLv3 including dovecot, apache, haproxy etc at [url=http://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566]security - How do I patch/workaround SSLv3 POODLE vulnerability (CVE****-2014****-3566)? - Ask Ubuntu (yeah Ubuntu but should apply to usage for CentOS too ?) For non-whm/cpanel, I just updated to OpenSSL 1.0.1j which fixes this or patch OpenSSL 1.0.1i as I use Nginx with static compiled OpenSSL. For WHM/Cpanel, need to wait for Redhat/CentOS updated OpenSSL 1.0.1j equivalent ? Guess the next version of system OpenSSL to look for would be OpenSSL 1.0.1e-16.el6_5.160 -
I think OpenSSL 1.0.1j at best mitigates it, but perhaps I've misunderstood. 0 -
]But also, if you do that, you lose TLS1.0 and TLS1.1 as well.
sslscan confirms ... all ciphers are rejected after activating it :(0 -
Yup if you need SSLv3 enabled, OpenSSL 1.0.1j and TLS_FALLBACK_SCSV is needed 0 -
But TLS_FALLBACK_SCSV only prevents forced downgrades, and I'm pretty sure that's not the only vector that makes SSLv3 problematic. 0 -
So what's the immediate recommendation for WHM users? Change the apache cipher entry to - ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP Apache won't need rebuilding right? 0 -
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the pre_main_global.conf file: SSLProtocol ALL -SSLv2 -SSLv3 and restart Apache. That protects Apache, but not Exim, Dovecot, PureFTPD, ProFTPD or the cPanel processes themselves. Nobody's yet proposed a way to do those that doesn't also catch too much (although note the Dovecot remark earlier in this thread). 0 -
As advised by cPanel staff: ============================ In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure. 0 -
]That is correct. FireFox cannot access cPanel, WHM or webmail secure ports when SSLv3 is disabled at WHM "Service Configuration "cPanel Web Services Configuration
I can confirm this from firsthand experience. I disabled SSL3 last night and got "locked" out of WHM from Firefox, my default browser, with the following error:An error occurred during a connection to name.hostname.com:2087. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Chrome had no problem accessing WHM. Clearly Mozilla needs to do more testing, and take into consideration the millions of cPanel/WHM users. [COLOR="silver">- - - Updated - - -]We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
Yes. I got locked out of WHM last night through Firefox after I disabled SSL3 server-side. Chrome had no problem connecting. Unfortunately, Chrome is not my browser of choice....0 -
]I can confirm this from firsthand experience. I disabled SSL3 last night and got "locked" out of WHM from Firefox, my default browser
You can resolve this from the command line by modifying or removing the ssl options from the file /var/cpanel/conf/cpsrvd/ssl_socket_args and restarting cpanel - /etc/init.d/cpanel restart0 -
]You can resolve this from the command line by modifying or removing the ssl options from the file /var/cpanel/conf/cpsrvd/ssl_socket_args and restarting cpanel - /etc/init.d/cpanel restart
Wouldn't what you're suggesting: 1. Disable SSL logins to cPanel/WHM? 2. Be overwritten when cPanel updates? [COLOR="silver">- - - Updated - - -]I know there is talk about OpenSSL 1.0.1j here, but for any that missed it: See
0 -
]Still waiting for OpenSSL 1.0.1j to be made available through the CentOS repos. I tried searching/asking on the CentOS forum, but it keeps timing out. Because it's generally not advised by cPanel to update outside the vendor provided repos, I'll wait, I guess. I just hope CentOS doesn't drag their feet on this.
Yes, we have to wait as no fix/patch been issued yet to resolve the cPanel services problem. You can however protect Apache from the vulnerability. In WHM at: Home " Service Configuration " Apache Configuration " Include Editor " Pre Main Include (pre_main_global.conf) Enter: SSLProtocol ALL -SSLv2 -SSLv3 Save and restart Apache to complete.0 -
] 1. Disable SSL logins to cPanel/WHM?
No. In fact by default the /var/cpanel/conf/cpsrvd/ssl_socket_args file is empty or missing by default. By default it would appear that cPanel loads all ciphers. This file just specifies what ciphersuites it will use if it is defined. That's why if you put -SSLv3 in the cPanel/WHM CipherSuite, then FireFox won't load the WHM.] 2. Be overwritten when cPanel updates?
Not sure, but probably. cPanel has moved away from doing things from a command-line interface requiring you to make all of your changes through the cPanel or WHM interface, to make sure it's kosher. That's fine if you have 1 or 2 servers and can easily log into the WHM for each server. But if you're managing 50+ servers, logging into 50+ WHMs isn't ideal (and it's very, very time consuming).0 -
]Yes, we have to wait as no fix/patch been issued yet to resolve the cPanel services problem. You can however protect Apache from the vulnerability. In WHM at: Home " Service Configuration " Apache Configuration " Include Editor " Pre Main Include (pre_main_global.conf) Enter: SSLProtocol ALL -SSLv2 -SSLv3 Save and restart Apache to complete.
In regards to this - I have tried this on several Centos 5 based cPanel servers and so far i haven't been able to fix the issue. Using the ssllabs.com test it still shows as having SSLv3 enabled. If i try setting the cipher suite to any of the above listed options Apache won't start - gives the following error in error_log [error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
I have even tried copying the "working" entries to notepad and simply added the :-SSLv3 and it still fails to reload. Any help would be appreciated...0
Please sign in to leave a comment.
Comments
124 comments