SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
Mod Edit: Updated Response to Customers Posted Click Here
[HR][/HR]
I received an email from HostingSecList today:
SSL v3
Rumoured Vulnerability
According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.
Ongoing Discussion via WHT:
[url=http://www.webhostingtalk.com/showthread.php?t=1420329]New SSL Vulnerability? - Vulnerabilities - Web Hosting Talk
More information will be sent out via HSL once the vulnerability is released tomorrow and we urge everyone to stay alert and be ready to patch whatever necessary.
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
-
]so for /var/cpanel/conf/cpsrvd/ssl_socket_args /var/cpanel/conf/cpdavd/ssl_socket_args /usr/lib/courier/etc/imapd /usr/lib/courier/etc/imapd-ssl /usr/lib/courier/etc/pop3d /usr/lib/courier/etc/pop3d-ssl if they do not exist create them ?
] for dovecot i have 2 versions ?
You'll only have one daemon serving IMAP and POP3 connections. There are three different variations common on cPanel & WHM systems. Courier, Dovecot 1.2 and Dovecot 2.2. You can tell which mail server your system is configured to use with this command: rpm -qa | grep -E -i "(dovecot|courier-imap)" For instance, if it says: dovecot-2.2.13-1.cp1140.i386 You know the system is using Dovecot version 2.2.13, and you'll follow the steps for Dovecot 2.2. The steps to configure the SSL protocols for IMAP services will be more or less identical once the new builds are tested and available.0 -
]You'll only have one daemon serving IMAP and POP3 connections. There are three different variations common on cPanel & WHM systems. Courier, Dovecot 1.2 and Dovecot 2.2. You can tell which mail server your system is configured to use with this command: rpm -qa | grep -E -i "(dovecot|courier-imap)" For instance, if it says: dovecot-2.2.13-1.cp1140.i386 You know the system is using Dovecot version 2.2.13, and you'll follow the steps for Dovecot 2.2. The steps to configure the SSL protocols for IMAP services will be more or less identical once the new builds are tested and available.
thanks for the clarification looks like dovecot 2.2rpm -qa | grep -E -i "(dovecot|courier-imap)" dovecot-2.2.13-1.cp1140
0 -
] One truism to keep in mind about securing software and systems is that users will work around any roadblocks that are placed in front of them. You don't want to put roadblocks in place that encourage users to take even less secure paths to accomplish their goals. For instance, if the end result of disabling SSLv3 in IMAP is that your users switch to plaintext connections, your system and users have become less secure in the process.
This is a legendary quote. Lets not forget the goal here people. Lets do it right, but we're going to need cPanel's help here to make all the supported systems 'fixed.' Oh, and I hope you guys are in talks with Cloud Linux too, they definitely need to be in the loop. I love how these things come up at hosting conventions or cP conferences. One thing I noticed was that opening a ticket was encouraged. In our case, I have asked our techs to not open tickets to lessen the load on cPanel techs, until we have an official patch or announcement, from cPanel, for this particular incident. The other reasons I asked our guys to do that was to 'not break' current systems, to avoid 'unpatching' and also have the ability to blame someone :) Our critical users are already 'patched' but we're still waiting for word of what to do for our shared servers. i guess there is not a big demand to man in the middle a $5 shared account.0 -
]Hi, alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:
Well in my case we've got two cPanel servers, one running 5.11 and the other using 6.5. In our case I've done the following changes and haven't seen any negative impact. Within Apache Configuration > Include Editor > Pre Main Include > All Versions I added :SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLHonorCipherOrder on
then within Apache Configuration > Global Configuration > SSL Cipher Suite and changed the entry to :ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
The upshot of those two changes on both installations is to disable SSL v2 and v3 entirely. On the 6.5 install, when I checked the result on ssllabs.com it flagged the fact that some of the cipher entries in TLS 1.2 include anonymous authentication. I suspect that was previously the case since I hadn't checked before, but decided to fix it at the same time. While the 5.11 installation doesn't support TLS 1.1 or 1.2, and therefore doesn't have that same issue, making the same changes on 5.11 works fine as I believe cPanel/Apache simply ignores the entries it doesn't support. But at least this means that if cPanel decide to finally deploy a newer build of OpenSSL to v5 installations, and with it support for TLS 1.1 and 1.2 then the settings will already be in place for it.0 -
The reason i have not reported back on my ticket is because it turned out to be something they had to do themselves. So although they presented me with some instructions which i believe are already in the documentation my solution i dont think could be used by the masses. Seems my server gave them a bit of a fit, but i will tell you i have yet to deal with a tech that has been less than professional and very knowledgeable, i think they are awesome. 0 -
All, I've been repeatedly asked to post something about this to my site, so I did: [url=http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/]de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it. 0 -
Urgent: SSLv3 Disabled but Java Give Mismatch Error We disabled SSLv3 on our server by using this code in pre_main_global but this code broke "Java 6u45" and show error "Protocol or cipher suite mismatch" We use this code: SSLHonorCipherOrder On SSLProtocol -All +TLSv1 -SSLv2 -SSLv3 Please advice because we use Java. 0 -
] Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.
So nothing to do except sit back and wait? OK that's OK with me.0 -
]All, I've been repeatedly asked to post something about this to my site, so I did: [url=http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/]de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.
As has been said a few times in this thread, if people changes the Cipher lists to the settings you recommend, they'll also disabled TLS1.0 and TLS1.1 as well - which knocks out many, many browsers.0 -
Why both -SSLv2 -SSLv3 is not working and work only when I use -SSLv3 or -SSLv2 (Can't disable both at same time) 0 -
Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks. 0 -
]Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.
Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.0 -
]Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.
Because most of the instructions on here are plain wrong, advising disabling sslv3 at the cipher level instead of at the protocol level. Cpanel gives a complete interface to set all the most commonly needed settings for these services, but the sslprotocol setting is not currently exposed.0 -
]Because most of the instructions on here are plain wrong, advising disabling sslv3 at the cipher level instead of at the protocol level. Cpanel gives a complete interface to set all the most commonly needed settings for these services, but the sslprotocol setting is not currently exposed.
Check the link I posted previously. Some involve editing the cipher line because the specific services in question, which are third-party to cPanel, don't have protocol-level definitions. That is not something cPanel has control over. The instructions I posted are correct and verified by cPanel staff.0 -
]Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.
]Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.
I asked basically because:]As the response from tech support indicates, you can manually force a different protocol list into every service provided by cPanel & WHM. I wouldn't recommend going this route unless you must reconfigure your services immediately (PCI compliance, for instance.) The POODLE attack is very real, but since it's a man in the middle attack like Crime, Beast and SSLStrip, it's unlikely to be widespread in the way HeartBleed and ShellShock were. The threat from POODLE is quite similar to the earlier man in the middle attacks against SSL. The threat of a POODLE attack is also vastly lower than the threat caused by sending data over plaintext connections. The development team is working on changes to all supported cPanel & WHM releases to make the SSL protocol list default to secure settings and to make reconfiguration of the protocol list possible using the WHM interfaces. If you do reconfigure services manually as the tech support response indicates, you'll want to undo the changes once our fixes are available. Failing to remove these types of customizations when they are no longer needed increases the likelihood that the server will miss updates in the future. Many of the workaround available for existing builds override cPanel & WHM's ability to update the configuration files. I'm working with our documentation team to get full details about how the cipher list and protocol list can be configured for all the services managed by cPanel & WHM into our documentation site. The documentation will be updated to once the new builds are available. I'll add a link to this threat once the documentation is online. Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.
So what is the harm in trying to find out the likely timescale for this? Chill.0 -
]Check the link I posted previously. Some involve editing the cipher line because the specific services in question, which are third-party to cPanel, don't have protocol-level definitions. That is not something cPanel has control over. The instructions I posted are correct and verified by cPanel staff.
I agree entirely that if cPanel uses a third party service, and that service does not provide a way to configure the SSLProtocol, then cPanel cannot expose a setting that does not exist. (Unless, of course, they wish to compile these third party services themselves, building in that extra setting - for the last few releases, all those third party services have come through cPanel's own RPM mechanism for exactly this reason). However, just because the SSLProtocol cannot be set, that doesn't then mean that changing the Cipher Suite becomes the correct answer. Because TLS1.0 and TLS1.1 are seen as using SSLv3 ciphers (without themselves being vulnerable to the poodle - they are TLS, after all), they would all be blocked. Anyone who restricted SSLv3 at the cipher level would find many more browsers shut out than just IE6 on Windows XP. Just taking the relatively small list of browser tested by SSLLabs, the following would all be unnecessarily blocked from connecting to a site if the SSLv3 cipher was removed. There are, of course, many more. (I'm already seeing people saying that they're having trouble connecting to remote services from a JVM client, and I suspect it's because they've blocked too much). (Of course, it may be that someone regards the risks of this so highly that they'd rather shut out all these clients than take the security risk, but that's a decision that only the server administrator can take - they need to be aware of the price before they go down this route). [LIST]- Android 2.3.7 No SNI 2 TLS 1.0
- Android 4.0.4 TLS 1.0
- Android 4.1.1 TLS 1.0
- Android 4.2.2 TLS 1.0
- Android 4.3 TLS 1.0
- BingBot Dec 2013 No SNI 2 TLS 1.0
- BingPreview Jun 2014 TLS 1.0
- Firefox 24.2.0 ESR / Win 7 TLS 1.0
- Googlebot Jun 2014 TLS 1.0
- IE 7 / Vista TLS 1.0
- IE 8 / XP No FS 1 No SNI 2 TLS 1.0
- IE 8-10 / Win 7 R TLS 1.0
- IE Mobile 10 / Win Phone 8.0 TLS 1.0
- Java 6u45 No SNI 2 TLS 1.0
- Java 7u25 TLS 1.0
- OpenSSL 0.9.8y TLS 1.0
- Safari 5.1.9 / OS X 10.6.8 TLS 1.0
- Safari 6.0.4 / OS X 10.8.4 R TLS 1.0 I've no intention of making this personal, Vanessa, since the same advice (block SSLv3 from the cipher list) is being given by many, many people. But I think people here would rather have a member of the cPanel team who are looking into POODLE come into this thread and confirm something as the right method, than have a general claim that "cPanel staff have looked into it and confirmed it's right". Is there any chance you could contact those members of the cPanel staff and invite them to add their own comment to this thread? Would you mind letting us know who, at cPanel, has verified this to be the correct method? Again - I only ask because the advice is being given so frequently, and yet seems to be the wrong approach, not because I have an issue with you personally - you, like I, are trying to help.
0 -
]Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.
I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.0 -
]I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.
Howdy- Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.0 -
]Howdy- Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.
Hi, When can we expect an update to openssl package? Regards, Serlex0 -
i have applied this code SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 i haven't changed any code to my site at all, now all my websites in this server are not working Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. More information about this error may be available in the server error log. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at ritsol.net Port 80 i have the following errors on error_log file [Tue Oct 21 10:48:32 2014] [error] Premature end of script headers: index.php [Tue Oct 21 10:48:32 2014] [error] File does not exist: /home/Domainname/public_html/support/500.shtml 0 -
Hello, I have made the following changes suggested by cPanel and the cPanel proxy URL stopped working with the following error --------------------------------------------------------------------------- 1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include. 2) Select a version or All Versions. 3) Add the following in the text box that appears: SSLHonorCipherOrder On SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 4) Press the Update button and rebuild your Apache configuration.
---------------------------------------------------------------------------[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) [Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by / [Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx () [Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) [Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml [Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx () [Tue Oct 21 12:29:21 2014] [error] an unknown filter was not added: DEFLATE [Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) [Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /favicon.ico [Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx () [Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) [Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml [Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
Can someone advise? Regards, TuxSage0 -
I see from the changelogs that 11.44.1.19 and 11.45.999.124 are out with numerous SSL changes, and the update of one of my installations from 11.44.1.18 to 11.44.1.19 is underway (2%). If the timeline on the CPanel Documentation Home is any indication, there aren't yet any docs on how to actually use the changes. 0 -
Oh, and 11.46.09 is out (and includes the SSL changes), and is the new CURRENT. 0 -
That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string. We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality. New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week. 0 -
]That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string. We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality. New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week.
Does this mean that if we are on RELEASE 11.44.1.19 (or any of the other latest releases) that we should still wait for an additional patch, or are we required to make the modifications ourselves? Should we open a ticket, or apply settings as suggested by support page mixed with the hints in this thread?0 -
In 11.44.1.19, on WHM " Service Configuration " Apache Configuration " Global Configuration, the field to set SSLProtocol has the label "SSL/TLS Cipher Suite". Is that a typo? (The expandable help section makes quite clear that this sets SSLProtocol). 0
Please sign in to leave a comment.
Comments
124 comments