Skip to main content

SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

sneader
Mod Edit: Updated Response to Customers Posted Click Here [HR][/HR] I received an email from HostingSecList today: SSL v3 Rumoured Vulnerability According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice. Ongoing Discussion via WHT: [url=http://www.webhostingtalk.com/showthread.php?t=1420329]New SSL Vulnerability? - Vulnerabilities - Web Hosting Talk More information will be sent out via HSL once the vulnerability is released tomorrow and we urge everyone to stay alert and be ready to patch whatever necessary.
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott

Comments

124 comments

Date Votes
  • sneader
    Thanks, lorio, for the reminder on checking for the back porting. I'm seeing the same as you are, so I should be good to go! - Scott
    0
  • frogstarr78
    Anyone mention it's probably either a matter of updating Firefox or disabling SSLv3 Support on the client in order to get it to work after disabling SSLv3 on the WHM/cPanel ports? I've successfully disabled SSLv2 on ports 2087, 2083, and 2082, on several servers, and have no issue with firefox accessing them. How to disable SSLv3 in Firefox: https://zmap.io/sslv3/browsers.html or: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/?src=api
    0
  • launch
    Hi rohroh1974, have you managed to fix this? I have exactly the same problem [COLOR="silver">- - - Updated - - -
    ]OK upon further investigation I think i may have found the issue. Centos 5 only appears to be using OpenSSL 0.9.8 as its usual repo-based installation. By removing SSLv3 it appears that OpenSSL has No ciphers that can be used. if i remove the -SSLv3 option i get the following Please correct me if i am wrong but it appears that 0.9.8 doesn't have any ciphers at all that don't contain SSLv3 in the ident....

    Hi Rowan, have you managed to fix this? I have exactly the same problem.
    0
  • triantech
    Hey launch, That's correct, OpenSSL 0.9.8 doesnt have any other ciphers than sslv2 and sslv3 which we just disabled now. You might want to upgrade OpenSSL, if you are on a centos5 box, manually install it from the source.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post