SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
Mod Edit: Updated Response to Customers Posted Click Here
[HR][/HR]
I received an email from HostingSecList today:
SSL v3
Rumoured Vulnerability
According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.
Ongoing Discussion via WHT:
[url=http://www.webhostingtalk.com/showthread.php?t=1420329]New SSL Vulnerability? - Vulnerabilities - Web Hosting Talk
More information will be sent out via HSL once the vulnerability is released tomorrow and we urge everyone to stay alert and be ready to patch whatever necessary.
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon. - Scott
-
Yes, it is a typo, but you know what it means. The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth. Anyways, it works! For web at least. Need to check the other areas. 0 -
Two questions about 11.44.1.19 1. The ChangeLog says the SSLProtocol setting for Exim is now configurable through WHM. I could find all the other services, but I couldn't find Exim. Where do you set this? 2. I've heard a few people say that the FTP server services don't need their SSL protocols restricting. Why not? [COLOR="silver">- - - Updated - - - ]Yes, it is a typo, but you know what it means. The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth. Anyways, it works! For web at least. Need to check the other areas.
It works. But, one thing I've found, is that there's a little orange warning icon next to the new setting in Apache. That means "this setting hasn't been applied yet", so although the default is to disable SSLv3, you have to go into the Global Configuration screen, scroll to the bottom, and save. Then click the button to rebuild Apache's configuration and restart Apache. Without that, the new SSLProtocol value has not been added to httpd.conf0 -
is SSLHonorCipherOrder still needed in pre global includes with Apache now having SSLProtocol option in 11.44.1.19 ? 0 -
This has got to be one of the most confusing threads I've read in a while. I hope we get some definitive answers from Cpanel. 0 -
]This has got to be one of the most confusing threads I've read in a while. I hope we get some definitive answers from Cpanel.
Agreed, quite frankly I'm really disappointed in CPanel on this one, they fell behind, far behind here. A few pages back, somebody quipped "why is it CPanel's responsibility to fix third party software" ... Well, it's their responsibility to fix anything their panel installs. This is commercial product, partner NOC's spend thousands/tens of thousands of dollars a month on this product, on the basis of making servers manageable by people who would not be otherwise capable (either by skill-set, by volume, or both). As far as I'm concerned, CPanel should drop *everything* when there is an issue like this, it should take absolute priority over everything else.0 -
I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...) /https://gist.github.com/anonymous/721e2c973aa5c073c0ff 0 -
I too am disappointed with cPanel. I know enough about security to be dangerous and I also understand how difficult it is with the way that Apache and OpenSSL interact. But there is so much bad information in this thread and in cPanel postings. I too was trying out various configurations and managed to shut out a large number of clients while still scoring A on QualSys. Great to have a PCI site that many customers can't see. And no - it wasn't IE6 browsers only but Android as well. So please cPanel. If you don't know what you are doing consult with some experts. Get it right, guide us properly and we can get this vulnerability put to rest! 0 -
]I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...) /https://gist.github.com/anonymous/721e2c973aa5c073c0ff
yup can confirm the same - update cpanel folks !0 -
]All, I've been repeatedly asked to post something about this to my site, so I did: [url=http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/]de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.
I reverted all changes I made in recent days, made sure EasyApache was up to date, and updated cPanel. Next, I came back to this post by Vanessa and went down her list to compare her suggested (on October 18) changes against where I'm at on my end. These suggested settings are in cPanel, right now. Dear Vanessa, thank you for all of your contributions to this thread, and this forum. :)0 -
I just need a clarification from the CP Admins please. I'm a noob user and this is probably the most confusing thread I've ever read. After 7 pages and what appears to be a final comment from a CP Admin I still have no idea what I'm supposed to do. Will this issue be resolved on it's own in the next auto update or do we continue to wait? If we're expected to do anything on our end to fix this can we get a clear list of instructions please? Regards, Vince 0 -
As far as I can tell using vulnerability scanners the POODLE attack is prevented after upgrading to 11.44.1.19 without my having to do any configuration updates. Would be nice to have confirmation, though - the release notes seem to indicate that manual configuration is still necessary. It is also unclear to me if there are still services that are vulnerable. It seems to me that cPanel has been hard at work getting this resolved quickly, no complaints there. Communication hasn't been great, though. 0 -
I agree it would be helpful to have some more comments from cPanel on this. After 11.44.1.19, my sites were still being reported as using SSL v3. I went into WHM, Apache Configuration, Global Configuration. On the first option, SSL Cipher Suite, I selected the recommended option. This forced a rebuild of Apache, and now my sites are reporting that SSL v3 is disabled. So, it seems to me that a rebuild of Apache is required after the update to 11.44.1.19. Anyone else have this experience? 0 -
]I agree it would be helpful to have some more comments from cPanel on this. After 11.44.1.19, my sites were still being reported as using SSL v3. I went into WHM, Apache Configuration, Global Configuration. On the first option, SSL Cipher Suite, I selected the recommended option. This forced a rebuild of Apache, and now my sites are reporting that SSL v3 is disabled. So, it seems to me that a rebuild of Apache is required after the update to 11.44.1.19. Anyone else have this experience?
I can confirm this worked for me too. However it seems to apply the the new configuration automatically when the cpanel upgrade is run with the 'forced' option, otherwise you have to actively go to the WHM 'Service Configuration' section and actively apply / rebuilt / restart the updated service configuration for Apache, Dovecot, Exim (and possibly Courrier which I never use). The cPanel/WHM SSL ports (2083, 2087, 2096) seem to be fixed immediately following update to 11.44.1.190 -
]I can confirm this worked for me too. However it seems to apply the the new configuration automatically when the cpanel upgrade is run with the 'forced' option, otherwise you have to actively go to the WHM 'Service Configuration' section and actively apply / rebuilt / restart the updated service configuration for Apache, Dovecot, Exim (and possibly Courrier which I never use). The cPanel/WHM SSL ports (2083, 2087, 2096) seem to be fixed immediately following update to 11.44.1.19
I can also confirm that this worked for me. It took a few tries however and Qualsys now rates us at A-. The A- because our cert needs to be re-issued with SHA-2. Can get to that now that POODLE is out of the way. One small problem we ran into was the directive All -SSLv2 was still in the Pre VirtualHost Include. This was overriding that -SSLv3 in the Global Configuration which was set as ALL -SSLv2 -SSLv3. Something to watch out for. We are PCI compliant so we had to remove the null ciphers which are left in the cPanel PCI cipher suite selection. Our cipher suite directive is custom as: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-EXP:!kEDH:!aNULL So - with a re-issued cert, we should be back to our A rating and our PCI work can re-start. Thanks to all that posted here and cPanel for getting this finally in place.0 -
So, would it be correct to summarize that we now have various reports that: 1. merely upgrading resolves the vulnerabilities; 2. upgrading resolves the vulnerabilities, but only if run with the force option; 3. upgrading resolves the vulnerabilities, but only if apache is rebuilt post-upgrade (possibly combined with #2); 4. upgrading resolves the vulnerabilities but only if the correct set of options is manually selected in individual service configurations after upgrading, depending on which services are installed (possibly combined with #2 or #3)? 0 -
Hello, Below is a copy of our updated response to customers: On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3). The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example. It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. In addition, this vulnerability does not appear to affect SSH and FTP services. Regardless, we recommend that you update your server as soon as possible to address this vulnerability. As of 10/22/2014 cPanel has released versions of cPanel to disable SSLv3. These versions are: 11.46.0.9 11.44.1.19 Our changes introduced in the above versions disable SSLv3 support by default; however, in order for those changes to take effect through the update process, the services must be restarted. If you are currently running one of the above versions or later, or once you have upgraded your server, you will need to follow the below steps to ensure that SSLv3 is properly disabled. In addition, if you have already performed manual configuration changes on your server to disable SSLv3, you will need to revert those changes. In order to identify the version of cPanel you are running, please log into WHM as root and identify the version in the top right of the WHM interface. Upgrade instructions can be found here: Note about Mail Servers: The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version. For cpsrvd: 1. Go to WHM => Service Configuration => cPanel Web Services Configuration 2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3". 3. Select the "Save" button at the bottom. For cpdavd: 1. Go to WHM => Service Configuration => cPanel Web Disk Configuration 2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3". 3. Select the "Save" button at the bottom. For Dovecot: 1. Go to WHM => Service Configuration => Mailserver Configuration. 2. SSL Protocols should contain "!SSLv2 !SSLv3". If it does not, replace the text in this field. 3. Go to the bottom of the page, and select the Save button to restart the service. For Courier: Courier has released a new version to mitigate this as of 10/22, until we have an opportunity review, test, and publish the new version of Courier please switch to Dovecot for enhanced security. For Exim: 1. Go to Home " Service Configuration " Exim Configuration Manager 2. Under Advanced Editor, look for 'openssl_options'. 3. Make sure the field contains "+no_sslv2 +no_sslv3". 4.Go to the bottom of the page, and select the Save button to restart the service. ==== To revert any manual changes you may have made to mitigate POODLE prior to the 11.46 upgrade: For Apache: 1. Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include. 2. Select a version or All Versions. 3. Remove the following lines from the text box: SSLHonorCipherOrder On SSLProtocol +All -SSLv2 -SSLv3 4. Press the Update button to rebuild your Apache configuration. For LiteSpeed: No changes are necessary if you are using LiteSpeed version 4.2.18. For cpsrvd: 1. Go to WHM => Service Configuration => cPanel Web Services Configuration 2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3". 3. Select the "Save" button at the bottom. For cpdavd: 1. Go to WHM => Service Configuration => cPanel Web Disk Configuration 2. Make sure that the "TLS/SSL Protocols" field contains "SSLv23:!SSLv2:!SSLv3". 3. Select the "Save" button at the bottom. For Dovecot: No change is required. For Courier: The POODLE attack requires the client to retry connecting several times in order to downgrade to SSLv3, and typically only browsers will do this. Mail Clients are not as susceptible to POODLE. However, users who want better security should switch to Dovecot until we upgrade Courier to a newer version. For Exim: 1. Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor. 2. Go to SECTION: Config at the top. 3. Search for openssl_options. 4. Ensure that this setting is set to "+no_sslv2 +no_sslv3" which is the cPanel Default. 5. Go to the bottom of the page, and select the Save button. ==== For major versions lower than those listed above, please review our documentation on adjusting cipher protocols here: 0 -
] For Apache: 1. Go to WHM => Service Configuration => Global Configuration. 2. SSL/TLS Cipher Suite (the second option, not "SSL Cipher Suite") should contain "All -SSLv2 -SSLv3". 3. Go to the bottom of the page, and select the Save button to restart the service.
You missed a step, it should read: 1. Go to WHM => Service Configuration => Apache Configuration => Global Configuration.0 -
]Hello, Below is a copy of our updated response to customers:
Thank You, cPanel!0 -
Did you rebuild you http.conf ? 0 -
]I have there 2 questions. On all servers we have upgraded and rebootet we have still the "Vulnerable notice" like cpanel.net Is this because the SSL/TLS Cipher Suite ? How can i check if the servers is "really" not vulnerable? ) it keeps saying that my server is vulnerable, does it have anything to do I use apache 2.4? have you been able to solve? thanks
0 -
i see cpanels letter doesnt mention FTP is it not vulnerable to poodle? If i try to change the TLS cipher suite to HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3 FTP server wont restart properly any ideas? edit: also if i scan port 21 using poodlescan.com I get SSLv3 is disabled but i also get this warning This server supports the SSL v2 protocol. You should really disable this protocol even though i have !SSLv2 ? Thanks John 0 -
sorry and one more note, when testing using ssllabs and the default cpanel settings that supposedly fixes this, it STILL reports the server as vulnerable to poodle unless I change the setting to -All +TLSv1 0 -
]sorry and one more note, when testing using ssllabs and the default cpanel settings that supposedly fixes this, it STILL reports the server as vulnerable to poodle unless I change the setting to -All +TLSv1
Since SSLLab is only testing on 443 I wonder if you have already recompiled apache via easyapache. Perhaps you have some settings in the apache configs left. You're right about Poodlescan and Port 21. Not sure if that result is correct. When I connect directly on that port with SSLv2 I receive nothing. Looks not that via port 21 the connection is secured.0 -
How to Adjust Cipher Protocols - cPanel Documentation Note: cPanel & WHM does not provide OpenSSL. cPanel & WHM uses the version of OpenSSL that the base operating system provides.
HTH! :)0 -
]OpenSSL> version OpenSSL 1.0.1e-fips 11 Feb 2013 Was there a backported patch applied?
[url=http://lists.centos.org/pipermail/centos-announce/2014-October/020697.html][CentOS-announce] CESA-2014:1652 Important CentOS 6 openssl Security Update rpm -q --changelog openssl * Wed Oct 15 2014 Tom"" Mr""z 1.0.1e-30.2 - fix CVE-2014-3567 - memory leak when handling session tickets - fix CVE-2014-3513 - memory leak in srtp support - add support for fallback SCSV to partially mitigate CVE-2014-3566 (padding attack on SSL3)0
Please sign in to leave a comment.
Comments
124 comments