cPanel and OpenSSL 1.0.1c (or higher)

[dualmonitor]

Hello gang,

Here are my current versions:

OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
CentOS release 6.4 (Final)

Sorry if this is a very noob question, but this sort of sysadmin work is not my background: Can anyone point to a handy primer on how I can get to OpenSSL 1.0.1c (or higher)?

 

[cPanelKenneth]

Hello gang,

Here are my current versions:

OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
CentOS release 6.4 (Final)

Sorry if this is a very noob question, but this sort of sysadmin work is not my background: Can anyone point to a handy primer on how I can get to OpenSSL 1.0.1c (or higher)?

running yum update in many situations will update your system to the latest release of CentOS 6.

 

[dualmonitor]

running yum update in many situations will update your system to the latest release of CentOS 6.

Yes, I recently (within the last week or two) ran yum update, which is how I got to the versions I posted above.

Just in case there was something newer available, I ran it again just now and received:

Setting up Update Process
No Packages marked for Update

I know InterServed offered some very detailed instructions in the fifth post of this thread:

https://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001.html#post1355351

...but I wanted to confirm that those steps are recommended before moving forward because I wouldn't know how to undo any changes I made if something were to go wrong

 

[InterServed]

Hi,

You may wanna try "yum clean all && yum update". If that doesn't update your system to 6.5 that also includes the updated openssl package then you should look at you repositories/mirrors.

 

[dualmonitor]

Hi,

You may wanna try "yum clean all && yum update". If that doesn't update your system to 6.5 that also includes the updated openssl package then you should look at you repositories/mirrors.

After running:

yum clean all && yum update

...I got:

Setting up Update Process
No Packages marked for Update

again. So no dice there. Looks like it's time for a support ticket. Thanks for the tip InterServed

 

[InterServed]

I've seen cases where some servers were using private/local mirrors , so this might be your case.

Creating a ticket with your provider or cPanel should be your best option for a fast resolution.

 

[dualmonitor]

I've seen cases where some servers were using private/local mirrors , so this might be your case.

Creating a ticket with your provider or cPanel should be your best option for a fast resolution.

You were exactly right, InterServed. The problem was that running yum update was resulting in a request to a private/local mirror that didn't offer the newest CentOS version.

After opening a ticket and getting some help from the nice folks at cPanel, I was able to update to the newest version. Now, when I run

ssh -V

I see:

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

openssl ciphers

gives me:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5

So that all looks like things have improved. However my SSLLabs report card still caps me at a grade of B because:

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

I also get:

The server does not support Forward Secrecy with the reference browsers.

So I think that I'm halfway there. I have the right stuff to get PFS and TLS 1.2 running (OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013) but for some reason they're not activated. ?? Not sure. Any ideas, anyone?

 

[robb3369]

Try this... In your Apache Configuration -> Include Editor -> Pre Main Include:

SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

And in your Apache Configuration -> Global Configuration -> SSL Cipher Suite:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA

Running this config, I can still support those great IE 6 users (some are paying their hosting bills so they still matter) and pull an "A" rating. Probably in a few months, I will revisit turning off SSLv3 on the SSLProtocol setting...

 

[dualmonitor]

Try this... In your Apache Configuration -> Include Editor -> Pre Main Include:

SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

And in your Apache Configuration -> Global Configuration -> SSL Cipher Suite:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA

Running this config, I can still support those great IE 6 users (some are paying their hosting bills so they still matter) and pull an "A" rating. Probably in a few months, I will revisit turning off SSLv3 on the SSLProtocol setting...

Rob that worked great! I went from an SSL Labs rating of B to A-! Thank you so much!

Now I just need to get Perfect Forward Secrecy in place...

 

[InterServed]

Hi,

For that to work you will need to upgrade to Apache 2.4 using EasyApache.

 

[dualmonitor]

Hi,

For that to work you will need to upgrade to Apache 2.4 using EasyApache.

Hmm, when you say "that" do you mean Perfect Forward Secrecy (PFS)? I'm already on Apache 2.4.6.

In fact, (and this is curious), inside WHM when I go Home->Server Status->Apache Status it reads:

Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6



However, as I mentioned earlier in this thread in Comment #27, when I do

ssh -V

I see:

OpenSSH_5.3p1, [B]OpenSSL 1.0.1e-fips[/B] 11 Feb 2013

I wonder:

1. why one says OpenSSL/1.0.0-fips and the other says OpenSSL 1.0.1e-fips
2. if this is involved in getting PFS to work

 

[robb3369]

I'm actually using Apache/2.2.26 (Unix) with OpenSSL/1.0.1e-fips on CloudLinux 6.5...

I've been tweaking on the ciphers for a few days to get rid of Sev 2 issue reported in a scan from McAfee Secure in an IV disclosure issue...

I've updated my Apache Configuration -> Include Editor -> Pre Main Include:

SSLHonorCipherOrder On
SSLProtocol ALL -TLSv1 -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

And my Apache Configuration -> Global Configuration -> SSL Cipher Suite:

+ECDHE:+DHE:HIGH:!DHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA:!MD5:!ADH:!aNULL:!eNULL:!EXP

And I'm still at a "A" on SSLLabs site.

 

[InterServed]

@dualmonitor , you will need to rebuild your apache/php so they can be build using the new openssl package.

 

[dualmonitor]

@dualmonitor , you will need to rebuild your apache/php so they can be build using the new openssl package.

InterServed, you are a saint. I took your advice and used Home »Software »EasyApache (Apache Update) to rebuild apache/php and now when I go Home->Server Status->Apache Status it reads:

Apache/2.4.7 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_fcgid/2.3.6

And now my report on SSLLabs.com is A+! :D

Thank you!

 

[dnswho]

yes it work good man thk I big A now