cpdavd forced sslv3?

[dclaw]

Hi,

I'm running WHM 11.23.2 cPanel 11.23.3-R25623

How would I go about configuring cpdavd to be forced to use sslv3? It is coming up in PCI Compliance scans as an insecure ssl daemon because it still allows sslv2. We have solved the issue for all other daemons and cpanel ports except this one.

From looking at /usr/local/cpanel/cpdavd it looks like there is a function that is supposed to pull the SSL arguments from the apache config, which if true would already have solved the issue, as we do not allow sslv2 in apache either.

Anyone got any ideas?

Thanks,
Mike

[Gatorpatrick]

You can try disabling it from the cipher list with my patch:

Code:

--- cpdavdorig  2008-07-03 18:46:00.000000000 -0500
+++ cpdavd      2008-07-03 19:05:05.000000000 -0500
@@ -298,7 +298,7 @@
         else {
             if ($SSLsocket) {
                 alarm(15);
-                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, Cpanel::HTTPDaemonApp::get_sslargs() )
+                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, SSL_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP', Cpanel::HTTPDaemonApp::get_sslargs() )
                   || Cpanel::HTTPDaemonApp::kill_connection( $cphttpd, $socket, $r, $conf ); # This will exit
                 $SSLsocket = 2;
                 alarm(0);

Save the patch to cpdavd-ssl.patch and place it in /usr/local/cpanel/libexec, then patch the file like so:

Code:

[root@bed2 /usr/local/cpanel/libexec]# patch cpdavd cpdavd-ssl.patch
patching file cpdavd

Then restart cpdavd:

Code:

/usr/local/cpanel/etc/init/stopcpdavd
/usr/local/cpanel/etc/init/startcpdavd

You can verify like this:

SSLv2:

Code:

$ openssl s_client -host 70.84.7.202 -port 2078 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
verify return:1
19992:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:469:

SSLv3 & TLS1 still work:

Code:

$ openssl s_client -host 70.84.7.202 -port 2078 -verify -debug -ssl3
verify depth is 0
CONNECTED(00000003)
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
   i:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCAxWgAwIBAgIFANRqf9QwDQYJKoZIhvcNAQEEBQAwgZkxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQK
EwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJiZWQyLmJlZGlu
YWJveC5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEBiZWQyLmJlZGluYWJveC5jb20w
HhcNMDcxMTA3MDA0NjMyWhcNMDgxMTA2MDA0NjMyWjCBmTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vu
a25vd24xEDAOBgNVBAsTB1Vua25vd24xGzAZBgNVBAMTEmJlZDIuYmVkaW5hYm94
LmNvbTElMCMGCSqGSIb3DQEJARYWc3NsQGJlZDIuYmVkaW5hYm94LmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoJu3oFNOilta1Wb0olHlESKnosMAhn7J
ZPO5z5KZpTw1W+IqdyMOPdrh+YopI+nHf4DL1Y8BbS71Mz8Z1b/V+r0yIgaKAzCT
eAk//Sr2wd1GRdGGcrNy07vY0xq8oc+CClBOtFizXkP2YQIEh7BjymdavWM6U3dX
llxCYl2qeW8CAwEAAaOB/TCB+jAdBgNVHQ4EFgQUggy9PL9uKhS4T6NiC96cNWr9
5QAwgcoGA1UdIwSBwjCBv4AUggy9PL9uKhS4T6NiC96cNWr95QChgZ+kgZwwgZkx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du
MRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJi
ZWQyLmJlZGluYWJveC5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEBiZWQyLmJlZGlu
YWJveC5jb22CBQDUan/UMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
A2leZU27bq1KDiVomIwyd0ky5XfFUI9h2MC6qoYHTlF00RJDCORE0FsK88HxIo3W
jdX745cNpp684NO5vF/J6X/PIUXlpJKRqlkh0hLTr1gtLMxlgBTCIFRIVV/SXCoj
ulZIMvkNBAKFDLvIcn0Rl+TRHf1gy6GzIK8jMFigmic=
-----END CERTIFICATE-----
subject=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
issuer=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
---
No client certificate CA names sent
---
SSL handshake has read 1122 bytes and written 312 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 4A7CCADE182AB10C02324032700BB254488005FD44E478E933248EA3CD36651B
    Session-ID-ctx:
    Master-Key: C9A17EDB3853E6471E208C9F9864428C170CC819B2B239EE90010157BE230E3D33D5CC9FA1C414DD0C81794614A1F4DE
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1215128536
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---

Lemme know if you have any questions.


__________________

Patrick Pelanne
Systems Administrator Level III
Support Supervisor
HostGator.com LLC.
http://support.hostgator.com

[tvcnet]

This patch worked for me.
-oly

[bls24]

Is this the same edit that's used on "Courier Configuration" in WHM?

[Gatorpatrick]

No, this only affects the cpdavd daemon (webdav service). Currently to my knowledge there is no public way to disable SSLv2 functionality besides using the custom patch I've presented here as Shashank's stunnel method does not affect cpdavd. Utilizing Shashank's stunnel method and then implementing this patch will bring your cPanel services completely PCI compliant as far as SSL ciphers are concerned.

[tvcnet]

The one issue I'm having is how to make it stick. During cpanel updates, the changes are removed.

[Gatorpatrick]

The trick is to just make a script to reapply it and save it to /scripts/postupcp, you'll want to chmod that 755 as well.

[scorey]

I have updated the patch for 11.25 as the code for cpdavd has changed a bit... here it is

Code:

--- cpdavdorig  2008-07-03 18:46:00.000000000 -0500
+++ cpdavd      2008-07-03 19:05:05.000000000 -0500
@@ -141,8 +141,8 @@
        else {
            $SIG{'PIPE'} = \&pipehandler;
             if ($SSLsocket) {
                 alarm(15);
-                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, 'SSL_reuse_ctx' => $ssl_ctx )
+                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, SSL_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP' , 'SSL_reuse_ctx' => $ssl_ctx )
                   || Cpanel::HTTPDaemonApp::kill_connection( $cphttpd, $socket, $r, $conf );    # This will exit
                 $SSLsocket = 2;
                 alarm(0);

This is working for me now for pci compliance.... thanks.

[cpanelkenneth]

It should not be necessary to patch cpdavd to obtain this functionality. The default cipher list for cpdavd is supposed to be:

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

However it appears the way this information is passed to IO::Socket::SSL is done in a way that IO::Socket::SSL doesn't yet implement.

I've reported this to the developers so it can be rectified.

Thank you.

[ckoehler]

Any news on this? The file seems to revert on each cPanel update, so getting this fixed properly will be good.

Thanks!

Christoph

[qdixon]

cpanelkenneth Has this been corrected yet and if so what version?

[cpanelkenneth]

cpanelkenneth Has this been corrected yet and if so what version?

The matter is corrected and is currently scheduled for 11.25.1. I'll see about getting it merged into 11.25.0

[cPanelErin]

We have verified the fix provided by development; it should make it into a 11.25.1 build imminently, and should be a candidate for release in 11.25.0 soon as well. Thank you very much for your patience.

[handsonhosting]

Hi Erin,

Can you post here when you do make that inclusion? I've been watching out for it but there's been limited information posted on cPanel site in terms of NEWS, and no information as of yet listed for the ciphers.

Thanks,

[handsonhosting]

3 months later and we're still waiting on 11.25.1 to trickle into CURRENT release so that we can implement this fix.

Can you provide a patch for the 11.25.0 version?