SSLv2 on 2083 and 2087

[handsonhosting]

Hi Folks,

This is a continuation of a thread regarding the port 2077 and 2078 (http://forums.cpanel.net/f5/cpdavd-f...-85161-p2.html). The patches have been applied and for some reason the 2083 and 2087 are now reporting that they can connect with SSLv2 instead of only with SSLv3.

I have duplicated this on a number of machines. The SSLv2 connection does not appear to be as a result of implementing the patch for the 2078 port.


On the Global Configuration for Apache the SSL Cipher Suite has the following:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:+SSLv3:+TLSv1:RC4+RSA:+HIGH:+MEDIUM

SSLv2 is marked to never connect. While this works fine for various other ports (443 etc), it does not seem to follow over on the 2083 and 2087 ports.

Tested and duplicated using the following line (both on the machine, and from a remote machine):

openssl s_client -host localhost -port 2083 -verify -debug -ssl2

The response comes back with the Verify return code: 0 (ok) rather than a rejection.

The only other thing that we do have enabled on the servers is a wildcard certificate, however I've also tested removing that certificate and leaving the standard cPanel self signed, but the results are the same.

Anyone have any thoughts as to how to get 2083 and 2087 to only use SSLv3?

Tested using the latest CURRENT and EDGE builds - same results on multiple machines.

[cpanelkenneth]

As far as I can tell (and I'll admit to not being an expert in this) the SSLv2 is indeed disabled for ports 2083 and 2087. Here's the result of running your command against 11.25.1-BETA_47285

Code:

root@tilly [~]# openssl s_client -host localhost -port 2083 -verify -debug -ssl2
verify depth is 0
CONNECTED(00000003)
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
verify return:1
13384:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:

Compare that with trying to connect with SSLv3:

Code:

root@tilly [~]# openssl s_client -host localhost -port 2083 -verify -debug -ssl3
verify depth is 0
CONNECTED(00000003)
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
   i:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDrDCCAxWgAwIBAgIFAg96Z3wwDQYJKoZIhvcNAQEFBQAwgZkxCzAJBgNVBAYT
AlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQK
EwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJ0aWxseS5jcGFu
ZWxxYS5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEB0aWxseS5jcGFuZWxxYS5jb20w
HhcNMTAwMjEyMTUxMzQ4WhcNMTEwMjEyMTUxMzQ4WjCBmTELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vu
a25vd24xEDAOBgNVBAsTB1Vua25vd24xGzAZBgNVBAMTEnRpbGx5LmNwYW5lbHFh
LmNvbTElMCMGCSqGSIb3DQEJARYWc3NsQHRpbGx5LmNwYW5lbHFhLmNvbTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PtnkeSYJMeLiRSy0Q4aZPcHPDerBEEC
jY9PweyR+Q2lUDJslUwAjEXqS4u/nV/it11qEWlBrvJdWAfz8SvBxXvyiZu6xXF9
6QO6M7p8g5MEFH5vPwVHrYzk/Wk2DuTccvRMbpNwYFmVZWkGnHmGZ5wg+xD9tORb
TzBFlTJ4fQMCAwEAAaOB/TCB+jAdBgNVHQ4EFgQU00XCrpQ6FRa80+ddpn+sBXq0
SbQwgcoGA1UdIwSBwjCBv4AU00XCrpQ6FRa80+ddpn+sBXq0SbShgZ+kgZwwgZkx
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du
MRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJ0
aWxseS5jcGFuZWxxYS5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEB0aWxseS5jcGFu
ZWxxYS5jb22CBQIPemd8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
dNeCcvq9ZKgKpyrH3tNrISz7UtH8lnsDQsXIDtsAVY7KPeecEoU8JFgqdf35G/Vf
8cbnl3GSucYTY0kn9hwZ0yIvv7XX9svZSefcGaFKH+8cA8WTSADtpVVwCGMR6NlJ
3KFrgmCU3OB7BRvG5sw57+FnXPqlsl4/v9cRCWxZ++Q=
-----END CERTIFICATE-----
subject=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
issuer=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
---
No client certificate CA names sent
---
SSL handshake has read 1145 bytes and written 317 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : SSLv3
    Cipher    : AES256-SHA
    Session-ID: 40B9E9D5AF7C6489BD47EA0F59C411A8922DA45CB474EA89EC2AC516CD3442E8
    Session-ID-ctx: 
    Master-Key: E151B6B6857EC371A348DDACAFFBC13EE596C073A956AD9D933A0C370831F491ED95E38E43166904FE3128B5C9087156
    Key-Arg   : None
    Krb5 Principal: None
   Compression: 1 (zlib compression)
    Start Time: 1280237018
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
---
DONE

When connecting via SSLv2 openssl returns an error versus negotiating the SSL/TLS handshake, which occurs when connecting via SSLv3 (and TLSv1). If my understanding of the above is incorrect please correct me.

Please note that for the purposes of this test, the BETA version I used is the same as the latest EDGE build (no SSL related functions have changed in cpsrvd since the last EDGE).

Thank you.

[handsonhosting]

Hi Kenneth,

Yes, your understanding is right. On SSLv2 it should not connect, and on SSLv3 it should display the connection information like you had.

I've just updated another machine (11.25.1-E47233) to the latest edge build, but I"m still having the same issue. Other ports still blocked when trying with v2 but on 2083 and 2087 I can connect without a problem.

Port 2083 and 2087 use the ciphers listed in WHM under the Service Configuration >> Apache Configuration >> Global Configuration > SSLCipherSuite

Is that correct?

I've tried setting that to the following ciphers;
ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-SSLv3

Notice that I not only killed SSLv2 but also SSLv3. It still lets me connect however. Even after rebuilding apache (and verified in the httpd.conf file there was only one reference to the SSLCipherSuite). I also restarted cpanel (for good measure) and still it would connect.

So I guess now the question is, where is 2083 and 2087 getting their SSLCipherSuite instructions from as setting it to -SSLv3 should have killed the connection there too but it didn't.

[cpanelkenneth]

Greetings handsonhosting,

Hi Kenneth,

Yes, your understanding is right. On SSLv2 it should not connect, and on SSLv3 it should display the connection information like you had.

Thank you for that verification.

I've just updated another machine (11.25.1-E47233) to the latest edge build, but I"m still having the same issue. Other ports still blocked when trying with v2 but on 2083 and 2087 I can connect without a problem.

Port 2083 and 2087 use the ciphers listed in WHM under the Service Configuration >> Apache Configuration >> Global Configuration > SSLCipherSuite

Is that correct?

No. That UI is for configuring Apache, not cPanel

Here is the default cipher suite used by cpsrvd

Code:

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

So I guess now the question is, where is 2083 and 2087 getting their SSLCipherSuite instructions from as setting it to -SSLv3 should have killed the connection there too but it didn't.

You can configure the cipher suite by modifying /usr/local/cpanel/Cpanel/SSLService.pm. You'll see the cipher suite string therein. You'll need to restart cPanel after modifying that file.

Based upon your description please also verify that your cPanel system is configured to use the SSL Service provided in cpsrvd. You should have the following entry in /var/cpanel/cpanel.config:

nativessl=1

If that directive does not exist or is 0 (zero) then stunnel is being used instead to provide SSL support in cPanel.

[handsonhosting]

Hey Kenneth,

Thanks for working through this with me. The nativessl is what tripped it all up.

So I guess nativessl should be ON on the servers. Not sure why it was disabled.

Again, thank you for working through this - one more thing to mark off my list of TO DO items!

[cpanelkenneth]

Hey Kenneth,

Thanks for working through this with me. The nativessl is what tripped it all up.

So I guess nativessl should be ON on the servers. Not sure why it was disabled.

Again, thank you for working through this - one more thing to mark off my list of TO DO items!

You're welcome. I'm glad it was something that simple

[Infopro]

Please Note: Important cPanel/WHM Version Number Designation Change

As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
Important cPanel/WHM Version Number Designation Change (To be updated)

This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.