cPanel and OpenSSL 1.0.1c (or higher)

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Hello gang,

Here are my current versions:

OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
CentOS release 6.4 (Final)

Sorry if this is a very noob question, but this sort of sysadmin work is not my background: Can anyone point to a handy primer on how I can get to OpenSSL 1.0.1c (or higher)?
 

cPanelKenneth

cPanel Development
Staff member
Apr 7, 2006
4,607
79
458
cPanel Access Level
Root Administrator
Hello gang,

Here are my current versions:

OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
CentOS release 6.4 (Final)

Sorry if this is a very noob question, but this sort of sysadmin work is not my background: Can anyone point to a handy primer on how I can get to OpenSSL 1.0.1c (or higher)?
running yum update in many situations will update your system to the latest release of CentOS 6.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
running yum update in many situations will update your system to the latest release of CentOS 6.
Yes, I recently (within the last week or two) ran yum update, which is how I got to the versions I posted above.

Just in case there was something newer available, I ran it again just now and received:

Setting up Update Process
No Packages marked for Update

I know InterServed offered some very detailed instructions in the fifth post of this thread:

https://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001.html#post1355351

...but I wanted to confirm that those steps are recommended before moving forward because I wouldn't know how to undo any changes I made if something were to go wrong :)
 

InterServed

Well-Known Member
Jul 10, 2007
268
14
68
cPanel Access Level
DataCenter Provider
Hi,

You may wanna try "yum clean all && yum update". If that doesn't update your system to 6.5 that also includes the updated openssl package then you should look at you repositories/mirrors.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Hi,

You may wanna try "yum clean all && yum update". If that doesn't update your system to 6.5 that also includes the updated openssl package then you should look at you repositories/mirrors.
After running:

Code:
yum clean all && yum update
...I got:

Setting up Update Process
No Packages marked for Update

again. So no dice there. Looks like it's time for a support ticket. Thanks for the tip InterServed :)
 

InterServed

Well-Known Member
Jul 10, 2007
268
14
68
cPanel Access Level
DataCenter Provider
I've seen cases where some servers were using private/local mirrors , so this might be your case.

Creating a ticket with your provider or cPanel should be your best option for a fast resolution.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
I've seen cases where some servers were using private/local mirrors , so this might be your case.

Creating a ticket with your provider or cPanel should be your best option for a fast resolution.
You were exactly right, InterServed. The problem was that running yum update was resulting in a request to a private/local mirror that didn't offer the newest CentOS version.

After opening a ticket and getting some help from the nice folks at cPanel, I was able to update to the newest version. Now, when I run

ssh -V

I see:

Code:
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

openssl ciphers

gives me:

Code:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC3-MD5:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-IDEA-CBC-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:KRB5-DES-CBC-SHA:KRB5-DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-KRB5-RC4-MD5
So that all looks like things have improved. However my SSLLabs report card still caps me at a grade of B because:

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.
I also get:

The server does not support Forward Secrecy with the reference browsers.
:(

So I think that I'm halfway there. I have the right stuff to get PFS and TLS 1.2 running (OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013) but for some reason they're not activated. ?? Not sure. Any ideas, anyone? :)
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
Try this... In your Apache Configuration -> Include Editor -> Pre Main Include:

Code:
SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
And in your Apache Configuration -> Global Configuration -> SSL Cipher Suite:

Code:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA
Running this config, I can still support those great IE 6 users (some are paying their hosting bills so they still matter) and pull an "A" rating. Probably in a few months, I will revisit turning off SSLv3 on the SSLProtocol setting...
 
Last edited:

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Try this... In your Apache Configuration -> Include Editor -> Pre Main Include:

Code:
SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
And in your Apache Configuration -> Global Configuration -> SSL Cipher Suite:

Code:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA
Running this config, I can still support those great IE 6 users (some are paying their hosting bills so they still matter) and pull an "A" rating. Probably in a few months, I will revisit turning off SSLv3 on the SSLProtocol setting...
Rob that worked great! I went from an SSL Labs rating of B to A-! Thank you so much! :)

Now I just need to get Perfect Forward Secrecy in place...
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Hi,

For that to work you will need to upgrade to Apache 2.4 using EasyApache.
Hmm, when you say "that" do you mean Perfect Forward Secrecy (PFS)? I'm already on Apache 2.4.6.

In fact, (and this is curious), inside WHM when I go Home->Server Status->Apache Status it reads:

Apache/2.4.6 (Unix) OpenSSL/1.0.0-fips mod_bwlimited/1.4 mod_fcgid/2.3.6



However, as I mentioned earlier in this thread in Comment #27, when I do

ssh -V

I see:

Code:
OpenSSH_5.3p1, [B]OpenSSL 1.0.1e-fips[/B] 11 Feb 2013
I wonder:

  1. why one says OpenSSL/1.0.0-fips and the other says OpenSSL 1.0.1e-fips
  2. if this is involved in getting PFS to work
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
I'm actually using Apache/2.2.26 (Unix) with OpenSSL/1.0.1e-fips on CloudLinux 6.5...

I've been tweaking on the ciphers for a few days to get rid of Sev 2 issue reported in a scan from McAfee Secure in an IV disclosure issue...

I've updated my Apache Configuration -> Include Editor -> Pre Main Include:
Code:
SSLHonorCipherOrder On
SSLProtocol ALL -TLSv1 -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
And my Apache Configuration -> Global Configuration -> SSL Cipher Suite:
Code:
+ECDHE:+DHE:HIGH:!DHE-RSA-AES128-SHA:!ECDHE-RSA-AES128-SHA:!MD5:!ADH:!aNULL:!eNULL:!EXP
And I'm still at a "A" on SSLLabs site.
 

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
@dualmonitor , you will need to rebuild your apache/php so they can be build using the new openssl package.
InterServed, you are a saint. I took your advice and used Home »Software »EasyApache (Apache Update) to rebuild apache/php and now when I go Home->Server Status->Apache Status it reads:

Code:
Apache/2.4.7 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_fcgid/2.3.6
And now my report on SSLLabs.com is A+! :D

Thank you!
 

dnswho

Well-Known Member
Mar 5, 2003
55
0
156
yes it work good man thk I big A now :)