The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cpdavd forced sslv3?

Discussion in 'General Discussion' started by dclaw, Jul 3, 2008.

  1. dclaw

    dclaw Member
    PartnerNOC

    Joined:
    Aug 24, 2007
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Escondido, CA
    Hi,

    I'm running WHM 11.23.2 cPanel 11.23.3-R25623

    How would I go about configuring cpdavd to be forced to use sslv3? It is coming up in PCI Compliance scans as an insecure ssl daemon because it still allows sslv2. We have solved the issue for all other daemons and cpanel ports except this one.

    From looking at /usr/local/cpanel/cpdavd it looks like there is a function that is supposed to pull the SSL arguments from the apache config, which if true would already have solved the issue, as we do not allow sslv2 in apache either.

    Anyone got any ideas?

    Thanks,
    Mike
     
  2. Gatorpatrick

    Gatorpatrick Registered
    PartnerNOC

    Joined:
    Jun 15, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    You can try disabling it from the cipher list with my patch:

    Code:
    --- cpdavdorig  2008-07-03 18:46:00.000000000 -0500
    +++ cpdavd      2008-07-03 19:05:05.000000000 -0500
    @@ -298,7 +298,7 @@
             else {
                 if ($SSLsocket) {
                     alarm(15);
    -                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, Cpanel::HTTPDaemonApp::get_sslargs() )
    +                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, SSL_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP', Cpanel::HTTPDaemonApp::get_sslargs() )
                       || Cpanel::HTTPDaemonApp::kill_connection( $cphttpd, $socket, $r, $conf ); # This will exit
                     $SSLsocket = 2;
                     alarm(0);
    Save the patch to cpdavd-ssl.patch and place it in /usr/local/cpanel/libexec, then patch the file like so:

    Code:
    [root@bed2 /usr/local/cpanel/libexec]# patch cpdavd cpdavd-ssl.patch
    patching file cpdavd
    Then restart cpdavd:

    Code:
    /usr/local/cpanel/etc/init/stopcpdavd
    /usr/local/cpanel/etc/init/startcpdavd
    You can verify like this:

    SSLv2:
    Code:
    $ openssl s_client -host 70.84.7.202 -port 2078 -verify -debug -ssl2
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    verify return:1
    19992:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:469:
    SSLv3 & TLS1 still work:
    Code:
    $ openssl s_client -host 70.84.7.202 -port 2078 -verify -debug -ssl3
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
       i:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDrDCCAxWgAwIBAgIFANRqf9QwDQYJKoZIhvcNAQEEBQAwgZkxCzAJBgNVBAYT
    AlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQK
    EwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJiZWQyLmJlZGlu
    YWJveC5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEBiZWQyLmJlZGluYWJveC5jb20w
    HhcNMDcxMTA3MDA0NjMyWhcNMDgxMTA2MDA0NjMyWjCBmTELMAkGA1UEBhMCVVMx
    EDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vu
    a25vd24xEDAOBgNVBAsTB1Vua25vd24xGzAZBgNVBAMTEmJlZDIuYmVkaW5hYm94
    LmNvbTElMCMGCSqGSIb3DQEJARYWc3NsQGJlZDIuYmVkaW5hYm94LmNvbTCBnzAN
    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoJu3oFNOilta1Wb0olHlESKnosMAhn7J
    ZPO5z5KZpTw1W+IqdyMOPdrh+YopI+nHf4DL1Y8BbS71Mz8Z1b/V+r0yIgaKAzCT
    eAk//Sr2wd1GRdGGcrNy07vY0xq8oc+CClBOtFizXkP2YQIEh7BjymdavWM6U3dX
    llxCYl2qeW8CAwEAAaOB/TCB+jAdBgNVHQ4EFgQUggy9PL9uKhS4T6NiC96cNWr9
    5QAwgcoGA1UdIwSBwjCBv4AUggy9PL9uKhS4T6NiC96cNWr95QChgZ+kgZwwgZkx
    CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du
    MRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJi
    ZWQyLmJlZGluYWJveC5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEBiZWQyLmJlZGlu
    YWJveC5jb22CBQDUan/UMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA
    A2leZU27bq1KDiVomIwyd0ky5XfFUI9h2MC6qoYHTlF00RJDCORE0FsK88HxIo3W
    jdX745cNpp684NO5vF/J6X/PIUXlpJKRqlkh0hLTr1gtLMxlgBTCIFRIVV/SXCoj
    ulZIMvkNBAKFDLvIcn0Rl+TRHf1gy6GzIK8jMFigmic=
    -----END CERTIFICATE-----
    subject=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    issuer=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=bed2.bedinabox.com/emailAddress=ssl@bed2.bedinabox.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1122 bytes and written 312 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : AES256-SHA
        Session-ID: 4A7CCADE182AB10C02324032700BB254488005FD44E478E933248EA3CD36651B
        Session-ID-ctx:
        Master-Key: C9A17EDB3853E6471E208C9F9864428C170CC819B2B239EE90010157BE230E3D33D5CC9FA1C414DD0C81794614A1F4DE
        Key-Arg   : None
        Krb5 Principal: None
        Start Time: 1215128536
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    Lemme know if you have any questions.


    __________________

    Patrick Pelanne
    Systems Administrator Level III
    Support Supervisor
    HostGator.com LLC.
    http://support.hostgator.com
     
    #2 Gatorpatrick, Jul 3, 2008
    Last edited: Jul 4, 2008
  3. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    This patch worked for me.
    -oly
     
  4. bls24

    bls24 Well-Known Member

    Joined:
    May 12, 2007
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    Is this the same edit that's used on "Courier Configuration" in WHM?
     
  5. Gatorpatrick

    Gatorpatrick Registered
    PartnerNOC

    Joined:
    Jun 15, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    No, this only affects the cpdavd daemon (webdav service). Currently to my knowledge there is no public way to disable SSLv2 functionality besides using the custom patch I've presented here as Shashank's stunnel method does not affect cpdavd. Utilizing Shashank's stunnel method and then implementing this patch will bring your cPanel services completely PCI compliant as far as SSL ciphers are concerned.
     
    #5 Gatorpatrick, Jul 6, 2008
    Last edited: Jul 7, 2008
  6. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    The one issue I'm having is how to make it stick. During cpanel updates, the changes are removed.
     
  7. Gatorpatrick

    Gatorpatrick Registered
    PartnerNOC

    Joined:
    Jun 15, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    The trick is to just make a script to reapply it and save it to /scripts/postupcp, you'll want to chmod that 755 as well.
     
  8. scorey

    scorey Registered

    Joined:
    Feb 3, 2009
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I have updated the patch for 11.25 as the code for cpdavd has changed a bit... here it is

    Code:
    --- cpdavdorig  2008-07-03 18:46:00.000000000 -0500
    +++ cpdavd      2008-07-03 19:05:05.000000000 -0500
    @@ -141,8 +141,8 @@
            else {
                $SIG{'PIPE'} = \&pipehandler;
                 if ($SSLsocket) {
                     alarm(15);
    -                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, 'SSL_reuse_ctx' => $ssl_ctx )
    +                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, SSL_cipher_list => 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP' , 'SSL_reuse_ctx' => $ssl_ctx )
                       || Cpanel::HTTPDaemonApp::kill_connection( $cphttpd, $socket, $r, $conf );    # This will exit
                     $SSLsocket = 2;
                     alarm(0);
    
    This is working for me now for pci compliance.... thanks.
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It should not be necessary to patch cpdavd to obtain this functionality. The default cipher list for cpdavd is supposed to be:

    ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    However it appears the way this information is passed to IO::Socket::SSL is done in a way that IO::Socket::SSL doesn't yet implement.

    I've reported this to the developers so it can be rectified.

    Thank you.
     
  10. ckoehler

    ckoehler Member

    Joined:
    Aug 7, 2009
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    Any news on this? The file seems to revert on each cPanel update, so getting this fixed properly will be good.

    Thanks!

    Christoph
     
  11. qdixon

    qdixon Registered

    Joined:
    Mar 23, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cpanelkenneth Has this been corrected yet and if so what version?
     
  12. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The matter is corrected and is currently scheduled for 11.25.1. I'll see about getting it merged into 11.25.0
     
  13. cPanelErin

    cPanelErin Registered
    Staff Member

    Joined:
    Apr 5, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Houston, TX
    We have verified the fix provided by development; it should make it into a 11.25.1 build imminently, and should be a candidate for release in 11.25.0 soon as well. Thank you very much for your patience.
     
  14. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Hi Erin,

    Can you post here when you do make that inclusion? I've been watching out for it but there's been limited information posted on cPanel site in terms of NEWS, and no information as of yet listed for the ciphers.

    Thanks,
     
  15. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    3 months later and we're still waiting on 11.25.1 to trickle into CURRENT release so that we can implement this fix.

    Can you provide a patch for the 11.25.0 version?
     
  16. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Sure. It should apply cleanly (as it did on my test machine).

    Code:
    Index: libexec/cpdavd
    ===================================================================
    --- libexec/cpdavd      (revision 43325)
    +++ libexec/cpdavd      (revision 43326)
    @@ -96,9 +96,10 @@
     $0 = 'cpdavd - accepting connections on 2077 and 2078';
     print "Starting PID $$: $0\n";
    
    +my %SSLARGS = Cpanel::HTTPDaemonApp::get_sslargs('cpdavd');
     my $ssl_ctx = IO::Socket::SSL::SSL_Context->new(
         SSL_server => 1,
    -    Cpanel::HTTPDaemonApp::get_sslargs('cpdavd')
    +    %SSLARGS,
     ) || die "Could not load ssl libraries or certificate from /var/cpanel/ssl/cpanel/";
    
     open my $pid_fh, '>', $pid_file or die "Could not write $pid_file: $!";
    @@ -141,7 +142,7 @@
                 $SIG{'PIPE'} = \&pipehandler;
                 if ($SSLsocket) {
                     alarm(15);
    -                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, 'SSL_reuse_ctx' => $ssl_ctx )
    +                IO::Socket::SSL->start_SSL( $socket, SSL_server => 1, 'SSL_reuse_ctx' => $ssl_ctx, %SSLARGS )
                       || Cpanel::HTTPDaemonApp::kill_connection( $cphttpd, $socket, $r, $conf );    # This will exit
                     $SSLsocket = 2;
                     alarm(0);
    
    As stated in prior posts you'll need to create a postupcp script (or something similar) to reapply the patch after a cPanel Update.

    cPanel 11.25.1 is currently in an a performance evaluation and improvement cycle before pushing to CURRENT.
     
  17. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Thanks Kenneth,

    That seems to resolve things on the 2077 and 2078 port for us. Now we just have a final issue on the 2083 and 2087 ports. Should I start a new thread on that? It used to be fine, but now those two have flared up. Only thing different that I can tell is that we use a wildcard SSL Cert on the server, but that shouldn't play a factor.
     
  18. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    A separate thread would be great, along with any pertinent details that will help us reproduce and resolve the issue.
     
  19. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,453
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
Loading...

Share This Page