Skip to main content

Logjam vulnerability

katmai
has anyone read this?

Comments

15 comments

Date Votes
  • Aaron Moore
    The logjam vulnerability was recently announced. Is a fix for this expected as an update of cpanel or is this something that should be fixed separately? Additional info:
    0
  • diegorxmx
    Hello. Anyone have a fix tool or steps to fix the logjam vulnerability? I have this:
    0
  • Avalon
    In the SSL Cipher Suite setting of WHM, replace everything with this:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    My problem is setting the DH Parameter. I've attempted to modify httpd on one of my CloudLinux boxes and placed it in but Apache won't restart afterwards. Tried doing it in the includes settings of WHM for Apache as well and it says it's an invalid input.
    0
  • Cron0
    Setting a good cipher suite is easy and shouldn't cause any issues other than with really old browsers (IE6 on Windows XP for instance) The other required fix is to change the DH Params and this is where it gets complicated. With Apache/mod_ssl, this can only be changed server-wide since apache 2.4.8 and openssl 1.0.2 which means if you're either running apache 2.2 or still on CentOS 5, your pretty much out of luck AFAIK. Moreover, cPanel does not support setting this SSLOpenSSLConfCmd DHParameters config so you have to resort to modifying the apache config templates by hand. Unless I missed something... Edit: You should be able to set this in the "Pre Virtualhost Global" includes if I am not mistaken. I have not tested this out however...
    0
  • AGNXNetworks
    How do we do the 2nd recommended action?
    0
  • cPanelMichael
    Hello, Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability: I would recommend, at a minimum, upgrading to Apache 2.4. It appears that by default, Apache 2.4.7 and above do not serve Diffie-Hellman parameters smaller than 2048 bits:
    0
  • AGNXNetworks
    Thanks! Now it's all good and site passes tests!
    0
  • Avalon
    Hello, Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability: Thank you.

    I've attempted to add it on one of our CloudLinux boxes running Apache 2.4 now (I'm one of those people that like to have control over these things) but Apache's Include Editor returns an error no matter where I put it.
    SSLOpenSSLConfCmd DHParameters "/pathto/key/keyname.pem"
    The error returned is that "SSLOpenSSLConfCmd DHParameters" is not a valid parameter. Editing httpd.conf directly just results in Apache not restarting. Am I going to need to open a support ticket?
    0
  • cPanelMichael
    Hello, To clarify, does your domain name still fail the test at
    0
  • Avalon
    Hello, To clarify, does your domain name still fail the test at
    0
  • Aaron Moore
    So just to clarify, this isn't something that will simply be handled in the next cpanel patch? (seems to me that it wouldn't but I have a host that insists it will).
    0
  • cPanelMichael
    So just to clarify, this isn't something that will simply be handled in the next cpanel patch? (seems to me that it wouldn't but I have a host that insists it will).

    Hello, Apache 2.4 is already available via EasyApache should you prefer to upgrade to it. It's not an issue that's addressable through cPanel/WHM itself. Could you have your host provide more information on that statement? Thank you.
    0
  • sunmacet
    Hello, How to fix this problem with courier-imap and exim? The "Manage Service SSL Certificates" doesn't allow unique DH group to be included. How to apply unique DH group for the mail services? I have generated unique DH group and I have PEM file with "DH PARAMETERS". Thank you.
    0
  • hicom
    Hi, we have the same issue with IMAPS/POP3S, for a reason, the DH key on these two services is always showing as 768-bit: I have added the ciphers below to POP3S / IMAPS but they did not affect the problem. We are now having issues with Thunderbird 38.1 due to weak DH key:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    This is the result of the openssl check:
    root> openssl s_client -connect web.somesite.com:993 -cipher "EDH" CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3 verify return:1 depth=0 OU = GT22832445, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = web.somesite.com verify return:1 --- Certificate chain 0 s:/OU=GT22832445/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=web.somesite.com i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA --- Server certificate -----BEGIN CERTIFICATE----- MIIErTCCA5WgAwIBAgIDAevKMAfewFaFb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy NTYgQ0EgLSBHMzAeFw0xNTAxMjYxNTM5MjhaFw0xNjAyMjgyMTAxMThaMIGXMRMw EQYDVQQLEwpHVDIyODMyNDQ1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEcMBoGA1UEAxMTd2ViLnZpbmNpZ2VuaXVz LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxfCPYKizPXZLY3 p+usROr22XMTscwgVj4E9tInnNfBBfd4fFsZ1jVnXeU+KIG5H/4GcNkv6PLPqRQya qgBJeqOhTWjYgk96M/OVhdh1v4AT6xlQma41MEPhkLywwlvbwZGwFwhI4UKg0gGv lDxlViG4odb8bSdQsaCMM/GNL8xI3h9Vq5Ojx1e8axW3jeq9ZAzfKm8x7nXK+fZn ZROaF4z1rpv4jRgie3EEVX4vvXHDy595yKkATKxIqc4gK+XeFfqGHyjWnamqy1H/ kmlWQu1rqwRpp3x0KksfJ8AYlT9cQsOlKvFI01/S8fkKLbckvls9dviLY/e7gQ52 5EZ9hh8CAwEAAaOCAU8wggFLMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/Pi CMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNk LmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYD VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAeBgNV HREEFzAVghN3ZWIudmluY2lnZW5pdXMuY29tMCsGA1UdHwQkMCIwIKAeoByGGmh0 dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwRQYDVR0gBD4w PDA6BgpghkgBhvhFAQc2MCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlk c3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEASIna3IUV8qELG8iN74OI pi/spq/NbaWwEebOhblDbAtlQCQlmXpefhrDk2d39/Zu1miOlO8+f0dOWoHbaHck 2EqC+nrxpJPevVmXO/9XyLbbMX2XQWh55Ia8uMfo6OECOe7PXG2LOyrl5sdSDjx2 xA865oZc0uOxWNq/znYrnT+O46PVZh9TbKWpjyaYwJ1STbCpZY9O7+Uetx7MwXx0 7A2TJrh+ZXGSdhPebVLSjKkYpuMtg7v8eOwYoUVb3VZceZcu//uw27dIhb2Jpbk4 RsdT86GWPDz7axZnWy1mbG/Xxocuhpa7gG63AR6NqtVWZdLvJyJfTCILZbkSyaXI Nw== -----END CERTIFICATE----- subject=/OU=GT22832445/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=web.somesite.com issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3 --- No client certificate CA names sent Server Temp Key: DH, 768 bits --- SSL handshake has read 3050 bytes and written 305 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 9C903102A2B97FC8DE75179D5F82719A6F8E456634D65CC154DDFC2852E1423A Session-ID-ctx: Master-Key: D8A223291C29688FF4CA8F2C62D4EC3AE7A4FB8B1890F462F3867ABA4C0234CB7B33A5C44C093BB2B84D698976C69EF5 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - eb 26 50 98 58 00 71 21-bc d3 ff 5e fe 09 a6 65 .&P.X.q!...^...e 0010 - 14 d7 e5 e2 36 2a e4 30-1b 50 b9 d4 e0 ac 4c 94 ....6*.0.P....L. 0020 - dd 0b 77 10 1e 7a d0 55-7a 37 df 77 22 02 9b 0a ..w..z.Uz7.w"... 0030 - 0f e5 5d a1 4f 87 bd 05-d7 8b 51 9a 74 39 49 2b ..].O.....Q.t9I+ 0040 - 02 02 3b dc 34 01 d1 23-91 4e 45 cd e9 44 3a 77 ..;.4..#.NE..D:w 0050 - 9e e3 1a 99 95 00 a2 c8-62 cf b4 78 9c cb 11 93 ........b..x.... 0060 - e8 04 b4 98 94 17 a8 c2-11 a5 3a 64 6e 99 04 7b ..........:dn..{ 0070 - eb cd 74 bc a9 dc a0 0c-55 79 11 c0 81 5c eb 2b ..t.....Uy...\.+ 0080 - 8f 13 cb 57 af 37 27 58-d5 2f ee 9f 36 28 f5 11 ...W.7'X./..6(.. 0090 - d2 e9 cd 35 24 b5 5f 11-fa 6c 8b ee 88 18 0f 07 ...5$._..l...... Start Time: 1437665169 Timeout : 300 (sec) Verify return code: 0 (ok) --- * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.
    0
  • cPanelMichael
    Hello :) To note, users may also find this thread helpful if the goal is to pass PCI compliance tests:
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post