Skip to main content

SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Comments

124 comments

  • TheRealWaldo
    ]Any help would be appreciated...

    In order to disable the protocol, add
    SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on
    To your Pre VirtualHost Include instead of your Pre Main. If you still have issues, copy your cipher-list here, as the problem could be that you have no valid cipher configured after you disable the SSLv2 and SSLv3 protocols.
    0
  • rohroh1974
    ]In order to disable the protocol, add
    SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on
    To your Pre VirtualHost Include instead of your Pre Main. If you still have issues, copy your cipher-list here, as the problem could be that you have no valid cipher configured after you disable the SSLv2 and SSLv3 protocols.

    OK upon further investigation I think i may have found the issue. Centos 5 only appears to be using OpenSSL 0.9.8 as its usual repo-based installation. By removing SSLv3 it appears that OpenSSL has No ciphers that can be used. openssl ciphers -v 'ALL !ADH !NULL !EXPORT56 RC4+RSA +HIGH +MEDIUM -LOW -SSLv3 -SSLv2' Error in cipher list 13370:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188:
    if i remove the -SSLv3 option i get the following openssl ciphers -v 'ALL !ADH !NULL !EXPORT56 RC4+RSA +HIGH +MEDIUM -LOW -SSLv2 +TLSv1' EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5 KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5 KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
    Please correct me if i am wrong but it appears that 0.9.8 doesn't have any ciphers at all that don't contain SSLv3 in the ident....
    0
  • TheRealWaldo

    openssl ciphers -v
    Will list all available ciphers in your installation. Your current cipher list is limitting you to TLSv1.2 ciphers, which may not be included in 0.9.8. You'll probably need to expand your cipher list to include 1, and 1.1, which will likely be supported by your version.
    0
  • JamesOakley
    Picking up on what several people have said in this thread (and this may help @rohroh1974): You shouldn't be changing the SSLCiphers at all. SSLProtocol is the only thing that needs changing (well, setting, since the default EasyApache httpd.conf doesn't include that property at all), to specify that SSLv3 is not to be used. That can go in one of the include files. If you remove SSLv3 from the Ciphers list (which several people are suggesting) you will also disable TLS1.0 and TLS1.1. You need to leave SSLv3 enabled at the Cipher level, but disallow anyone to use it using the SSLProtocol declaration. All of this still only applies to Apache itself.
    0
  • TheRealWaldo
    I agree; sorry my post was a bit criptic. There is a difference between protocols and ciphers. You only need to disable the protocol if you have a properly configured cipher list already (should not need -SSLv3).
    0
  • pgolding
    Poodle Attack Hi All After running a test I need to disable Disable SSLv3 and use TLS 1.0 or higher - How do I implement the required changes in WHM to I guess the areas below please (current settings shown) WHM " Apache Configuration " TLS Cipher Suite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH WHM " FTP Server Configuration " TLS Cipher Suite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 WHM " Mailserver Configuration " SSL Cipher List ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP WHM " Exim Configuration Manager " Advanced Editor " tls_require_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP Any help gratefully received and if possible in very simple terms :)
    0
  • aklein
    I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.
    ]As advised by cPanel staff: ============================ In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure. ...

    0
  • allpar
    Y'know, it'd sure be nice for CPanel to issue an official bulletin on this.
    0
  • ciao70
    Fix for Red Hat/Centos
    0
  • HostT
    Would be very nice for an official cPanel response ...
    0
  • scollins
    ]Fix for Red Hat/Centos
    0
  • patchwork
    ]Would be very nice for an official cPanel response ...

    I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.
    0
  • aklein
    ]I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.

    I am wondering if I get the No secure protocols supported because I do not have any domains on my site with secure sites configured. The only SSL connection is for WHM and Cpanel access. Which I understand the apache fix mentioned here does not correct.
    0
  • JustSomeGuy
    ]I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.

    I am sure most of us would at least like to hear "something" from CPanel. Either they are looking into a fix, patch, etc...
    0
  • deka
    ]The only SSL connection is for WHM and Cpanel access.

    Disable the SSL3 protocol in Apache as mentioned already, then run SSL Labs test using your server hostname: name.domain.com
    0
  • PhilGlau
    Here's the advice I got from cPanel when I opened a support ticket: On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3). The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example. It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. However, servers that currently function only because of SSL 3.0 fallback should be updated. To accomplish this, please follow these steps. This does not appear to affect SSH and FTP services. ==== For Apache: 1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include. 2) Select a version or All Versions. 3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears: SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 If you are using CentOS/RHEL 5.x, add the following in the text box that appears: SSLHonorCipherOrder On SSLProtocol -All +TLSv1 4) Press the Update button and rebuild your Apache configuration. This will disable SSLv3.0 on your server running Apache. For LiteSpeed: LiteSpeed has released version 4.2.18 to address this issue by using OpenSSL 1.0.1j and disabling SSLv3 by default. You can force an update by running this command: # /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18 ==== For cpsrvd and cpdavd: 1. Create the following files if they do not already exist: /var/cpanel/conf/cpsrvd/ssl_socket_args /var/cpanel/conf/cpdavd/ssl_socket_args 2. Add the following to those files: SSL_version=TLSv1 Please note that forcing TLSv1 support in this way will also disable support for the newer TLSv1.1 and TLSv1.2 protocols on CentOS/RHEL 6 and this is the only option that WHM 11.44 supports to directly disable SSLv3. CentOS/RHEL 5 does not support the newer TLS protocols so limiting it to TLSv1.0 does not reduce the existing TLS protocol support. More complex protocol strings will work for cpdavd for all builds. The cpsrvd process in WHM 11.46 also supports complex protocol strings such as "SSL_version=SSLv23:!SSLv2:!SSLv3" which will preserve support for TLSv1.1 and TLSv1.2 on CentOS/RHEL 6. Any 11.44 systems only need to enable TLSv1 support using this method until a fix has been released for internal case 124993 that is open about this issue. ==== For Dovecot: 1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default 2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below: # SSL ciphers to use [%- IF ssl_cipher_list.defined %] ssl_cipher_list = [% ssl_cipher_list %] [%- ELSE %] #ssl_cipher_list = ALL:!LOW:!SSLv2 [%- END %] Add: # SSL/TLS protocols to use [%- IF ssl_protocols.defined %] ssl_protocols = [% ssl_protocols %] [%- ELSE %] ssl_protocols = !SSLv2 !SSLv3 [%- END %] 3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file 4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot' ==== For Courier: There is currently no workaround at this time. We have an internal case open, 125369. We advise that you switch to Dovecot instead if you want to disable SSLv3. ==== For Exim: 1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor 2) At the top is SECTION: Config. Goto the end of that section and click the button "Add additional configuration setting". It will open two boxes above the button you clicked. 3) In the first blank box, put in: openssl_options In the blank box next to it, put in: +no_sslv3 4) Goto the bottom of the page and hit the save button. ==== Thank you. -- Thank you for using cPanel
    0
  • MaraBlue
    ]Y'know, it'd sure be nice for CPanel to issue an official bulletin on this.

    Agreed. I'm sure they're working on it, I just hope they don't take too long.
    0
  • Venomous21
    Concerning PhilGlau's post above, can someone at cpanel confirm these steps should be applied to a CentOS 5 server? Will these steps from PhilGlau's post or the steps listed directly below cause IE6 to fail on SSL sites? (Sadly, lots of clients still use IE6...yes i know...) To protect just apache, this would work? (Would this apply to whm logins on :2087?) === That would remove TLS1.0 and TLS1.1 as well. Just add one line to the pre_main_global.conf file: SSLProtocol ALL -SSLv2 -SSLv3 and restart Apache. === Does cpanel plan to add a patch to add these protections per PhilGlau's post or must we manually add these to every server? Per
    0
  • eva2000
    updates for CentOS are upon us CentOS 6.5 64bit
    yum clean all -q; yum list updates -q Updated Packages openssl.i686 1.0.1e-30.el6_5.2 updates openssl-devel.i686 1.0.1e-30.el6_5.2 updates
    CentOS 7.0 64bit
    yum clean all -q; yum list updates -q Updated Packages openssl.x86_64 1:1.0.1e-34.el7_0.6 updates openssl-devel.x86_64 1:1.0.1e-34.el7_0.6 updates openssl-libs.x86_64 1:1.0.1e-34.el7_0.6 updates
    0
  • quizknows
    I'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443. While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use. Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
    0
  • eva2000
    ]I'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443. While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use. Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.

    [url=http://superuser.com/questions/827055/does-firefox-support-tls-on-non-standard-ports]ssl - Does Firefox support TLS on non-standard ports? - Super User
    0
  • durangod
    Hi, alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here: 1. updating centos 2. disabling ssl3 3. enabling tls 4. all the above thanks regarding the instructions someone shared back on post 47: i dont have this file or dir. all i have is dovecot and dict.sqlite inside of it For Dovecot: 1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default 2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below: # SSL ciphers to use [%- IF ssl_cipher_list.defined %] ssl_cipher_list = [% ssl_cipher_list %] [%- ELSE %] #ssl_cipher_list = ALL:!LOW:!SSLv2 [%- END %] Add: # SSL/TLS protocols to use [%- IF ssl_protocols.defined %] ssl_protocols = [% ssl_protocols %] [%- ELSE %] ssl_protocols = !SSLv2 !SSLv3 [%- END %] 3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file 4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot'
    however inside of etc dovecot config i did find this section on line 90 # SSL ciphers to use ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    so im guessing i can use the if statement in the help post above in the same way ? like so # SSL/TLS protocols to use [%- IF ssl_protocols.defined %] ssl_protocols = [% ssl_protocols %] [%- ELSE %] ssl_protocols = !SSLv2 !SSLv3 [%- END %]
    0
  • jdlightsey
    ]Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.

    This flaw exposed several shortcomings in the flexibility our interfaces allow in configuring SSL. In the past, we've mainly received requests to adjust the SSL cipher list to meet PCI compliance requirements. We've addressed those concerns by providing WHM interfaces to configure the cipher list for all SSL enabled services and setting services to use PCI compliant cipher settings by default. The POODLE attack is focused on the way the SSLv3 protocol uses certain ciphers, rather than the ciphers themselves. The correct fix is to change the SSL protocol settings rather than the SSL cipher setting. Since this hasn't been requested in the past, we need to update the various WHM interfaces that allow specifying the SSL cipher list to also allow specifying the SSL protocol list. As the response from tech support indicates, you can manually force a different protocol list into every service provided by cPanel & WHM. I wouldn't recommend going this route unless you must reconfigure your services immediately (PCI compliance, for instance.) The POODLE attack is very real, but since it's a man in the middle attack like Crime, Beast and SSLStrip, it's unlikely to be widespread in the way HeartBleed and ShellShock were. The threat from POODLE is quite similar to the earlier man in the middle attacks against SSL. The threat of a POODLE attack is also vastly lower than the threat caused by sending data over plaintext connections. The development team is working on changes to all supported cPanel & WHM releases to make the SSL protocol list default to secure settings and to make reconfiguration of the protocol list possible using the WHM interfaces. If you do reconfigure services manually as the tech support response indicates, you'll want to undo the changes once our fixes are available. Failing to remove these types of customizations when they are no longer needed increases the likelihood that the server will miss updates in the future. Many of the workaround available for existing builds override cPanel & WHM's ability to update the configuration files. I'm working with our documentation team to get full details about how the cipher list and protocol list can be configured for all the services managed by cPanel & WHM into our documentation site. The documentation will be updated to once the new builds are available. I'll add a link to this threat once the documentation is online. Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.
    0
  • jdlightsey
    ]Hi, alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here: 1. updating centos 2. disabling ssl3 3. enabling tls 4. all the above

    #1 The RPM update limits the ability of an attacker to force a protocol downgrade when the web browser initially connects to the server. It's definitely good to install this update. #2-4, The protocol setting should be one that enables all protocols and disables the SSLv2 and SSLv3 protocols. Although POODLE targets SSLv3, SSLv2 is also considered to be a poor choice. The specific protocol setting is dependent on the service you're reconfiguring. Services are fairly consistent in the way the cipher list is specified, but this isn't the case with the protocol list. The settings support recommends have been checked to verify they function correctly in each service. If your system doesn't have /var/cpanel/templates/dovecot2.2/main.default, you're likely on an older build that still uses Dovecot 1.2. The main.default template would be in a different directory in that case. If you open a ticket with our support department, they can help you make the changes.
    0
  • eva2000
    would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through :)
    0
  • jdlightsey
    ]would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through :)

    That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists. The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out.
    0
  • durangod
    ticket submitted earlier today.. #5586713 i will keep you all posted. @jd 500 error on your link :(
    0
  • eva2000
    ]That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists. The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out. /var/cpanel/conf/cpsrvd/ssl_socket_args echo "SSL_version=TLSv1" > /var/cpanel/conf/cpdavd/ssl_socket_args echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd-ssl echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d-ssl
    for dovecot i have 2 versions ?
    ls -lah /var/cpanel/templates/dovecot* /var/cpanel/templates/dovecot1.2: total 52K drwxr-xr-x 2 root root 4.0K Feb 26 2013 . drwxr-xr-x 7 root root 4.0K Dec 22 2013 .. -rw-r--r-- 1 root root 42K Feb 26 2013 main.default /var/cpanel/templates/dovecot2.2: total 64K drwxr-xr-x 2 root root 4.0K Dec 22 2013 . drwxr-xr-x 7 root root 4.0K Dec 22 2013 .. -rw-r--r-- 1 root root 50K Dec 22 2013 main.default
    0
  • WhiteDog
    *** I would advice anyone who reads this not to blindly apply configuration changes on their servers *** My server is on CentOS 5.11 and has OpenSSL 0.9.8e. If I apply the changes put out by cPanel for Apache:
    SSLHonorCipherOrder On SSLProtocol All -SSLv2 -SSLv3
    Then sure, browsers are now always connecting using TLS and I get a pretty score on the sslabs test. However, 2 major issues arose: 1. PayPal IPN pings towards my server are no longer comming through. It appears PayPal is unable to do a correct handshake with my server after this change. I don't blame them, It's most likely due to the OpenSSL version in CentOS 5. 2. A simple wget using https to my server now fails. Try this:
    root@server [~]# wget -O /dev/null https://domain.com --2014-10-18 12:41:52-- https://domain.com Resolving domain.com... 1.2.3.4 Connecting to domain.com|1.2.3.4|:443... connected. Unable to establish SSL connection.
    Some better instructions for CentOS 5.X that also cover the above situations would be greatly appreciated...
    0

Please sign in to leave a comment.