The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Logjam vulnerability

Discussion in 'Security' started by katmai, May 20, 2015.

  1. katmai

    katmai Well-Known Member

    Joined:
    Mar 13, 2006
    Messages:
    526
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Brno, Czech Republic
  2. Aaron Moore

    Aaron Moore Registered

    Joined:
    May 20, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    WA
    cPanel Access Level:
    Root Administrator
  3. diegorxmx

    diegorxmx Member

    Joined:
    Oct 9, 2012
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Mexico
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello.

    Anyone have a fix tool or steps to fix the logjam vulnerability? I have this:

    https://weakdh.org/sysadmin.html

    But, i don't understand the step 2, help me pls.
     
  4. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    In the SSL Cipher Suite setting of WHM, replace everything with this:

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    My problem is setting the DH Parameter. I've attempted to modify httpd on one of my CloudLinux boxes and placed it in but Apache won't restart afterwards. Tried doing it in the includes settings of WHM for Apache as well and it says it's an invalid input.
     
  5. Cron0

    Cron0 Member
    PartnerNOC

    Joined:
    Mar 30, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Setting a good cipher suite is easy and shouldn't cause any issues other than with really old browsers (IE6 on Windows XP for instance)

    The other required fix is to change the DH Params and this is where it gets complicated. With Apache/mod_ssl, this can only be changed server-wide since apache 2.4.8 and openssl 1.0.2 which means if you're either running apache 2.2 or still on CentOS 5, your pretty much out of luck AFAIK.

    Moreover, cPanel does not support setting this SSLOpenSSLConfCmd DHParameters config so you have to resort to modifying the apache config templates by hand. Unless I missed something... Edit: You should be able to set this in the "Pre Virtualhost Global" includes if I am not mistaken. I have not tested this out however...
     
  6. AGNXNetworks

    AGNXNetworks Member

    Joined:
    Mar 6, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How do we do the 2nd recommended action?
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's a response from one of our technical analysts on a recent support ticket regarding this vulnerability:

    Thank you.
     
    eva2000 likes this.
  8. AGNXNetworks

    AGNXNetworks Member

    Joined:
    Mar 6, 2013
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks! Now it's all good and site passes tests!
     
  9. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    I've attempted to add it on one of our CloudLinux boxes running Apache 2.4 now (I'm one of those people that like to have control over these things) but Apache's Include Editor returns an error no matter where I put it.

    Code:
    SSLOpenSSLConfCmd DHParameters "/pathto/key/keyname.pem"
    The error returned is that "SSLOpenSSLConfCmd DHParameters" is not a valid parameter. Editing httpd.conf directly just results in Apache not restarting.

    Am I going to need to open a support ticket?
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  11. Avalon

    Avalon Member

    Joined:
    Apr 27, 2015
    Messages:
    19
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    United States
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Actually the domain has an A+ rating which is up from the A that it had under Apache 2.

    However, figuring I will have to specify a few custom keys no matter what for some of the other software I would include Apache among those custom keys.

    Although, I think you saw it, Apache got built off OpenSSL1.0.1e-fips rather than the system's 1.0.2a-fips and the minimum to declare the directive is 1.0.2.

    Since CloudLinux's repo only has 1.0.1e-fips I had to build 1.0.2a-fips. I took a look at the post you posted in that thread and had asked a question about just simply soft linking to the system version since according to what I read EasyApache will compile local OpenSSL if it's installed to:

    Code:
    /opt/ssl
     
    #11 Avalon, May 22, 2015
    Last edited: May 22, 2015
  12. Aaron Moore

    Aaron Moore Registered

    Joined:
    May 20, 2015
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    WA
    cPanel Access Level:
    Root Administrator
    So just to clarify, this isn't something that will simply be handled in the next cpanel patch? (seems to me that it wouldn't but I have a host that insists it will).
     
  13. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Apache 2.4 is already available via EasyApache should you prefer to upgrade to it. It's not an issue that's addressable through cPanel/WHM itself. Could you have your host provide more information on that statement?

    Thank you.
     
  14. sunmacet

    sunmacet Member

    Joined:
    Jan 24, 2009
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hello,

    How to fix this problem with courier-imap and exim?

    The "Manage Service SSL Certificates" doesn't allow unique DH group to be included. How to apply unique DH group for the mail services? I have generated unique DH group and I have PEM file with "DH PARAMETERS".

    Thank you.
     
  15. hicom

    hicom Well-Known Member

    Joined:
    May 23, 2003
    Messages:
    272
    Likes Received:
    0
    Trophy Points:
    16
    Hi, we have the same issue with IMAPS/POP3S , for a reason, the DH key on these two services is always showing as 768-bit:

    I have added the ciphers below to POP3S / IMAPS but they did not affect the problem. We are now having issues with Thunderbird 38.1 due to weak DH key:

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    This is the result of the openssl check:

    Code:
    root> openssl s_client -connect web.somesite.com:993 -cipher "EDH"
    
    
    CONNECTED(00000003)
    depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
    verify return:1
    depth=1 C = US, O = GeoTrust Inc., CN = RapidSSL SHA256 CA - G3
    verify return:1
    depth=0 OU = GT22832445, OU = See www.rapidssl.com/resources/cps (c)15, OU = Domain Control Validated - RapidSSL(R), CN = web.somesite.com
    verify return:1
    ---
    Certificate chain
     0 s:/OU=GT22832445/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=web.somesite.com
      i:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
     1 s:/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
      i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIErTCCA5WgAwIBAgIDAevKMAfewFaFb3DQEBCwUAMEcxCzAJBgNVBAYTAlVT
    MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEy
    NTYgQ0EgLSBHMzAeFw0xNTAxMjYxNTM5MjhaFw0xNjAyMjgyMTAxMThaMIGXMRMw
    EQYDVQQLEwpHVDIyODMyNDQ1MTEwLwYDVQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNv
    bS9yZXNvdXJjZXMvY3BzIChjKTE1MS8wLQYDVQQLEyZEb21haW4gQ29udHJvbCBW
    YWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEcMBoGA1UEAxMTd2ViLnZpbmNpZ2VuaXVz
    LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxfCPYKizPXZLY3
    p+usROr22XMTscwgVj4E9tInnNfBBfd4fFsZ1jVnXeU+KIG5H/4GcNkv6PLPqRQya
    qgBJeqOhTWjYgk96M/OVhdh1v4AT6xlQma41MEPhkLywwlvbwZGwFwhI4UKg0gGv
    lDxlViG4odb8bSdQsaCMM/GNL8xI3h9Vq5Ojx1e8axW3jeq9ZAzfKm8x7nXK+fZn
    ZROaF4z1rpv4jRgie3EEVX4vvXHDy595yKkATKxIqc4gK+XeFfqGHyjWnamqy1H/
    kmlWQu1rqwRpp3x0KksfJ8AYlT9cQsOlKvFI01/S8fkKLbckvls9dviLY/e7gQ52
    5EZ9hh8CAwEAAaOCAU8wggFLMB8GA1UdIwQYMBaAFMOc8/zTRgg0u85Gf6B8W/Pi
    CMtZMFcGCCsGAQUFBwEBBEswSTAfBggrBgEFBQcwAYYTaHR0cDovL2d2LnN5bWNk
    LmNvbTAmBggrBgEFBQcwAoYaaHR0cDovL2d2LnN5bWNiLmNvbS9ndi5jcnQwDgYD
    VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAeBgNV
    HREEFzAVghN3ZWIudmluY2lnZW5pdXMuY29tMCsGA1UdHwQkMCIwIKAeoByGGmh0
    dHA6Ly9ndi5zeW1jYi5jb20vZ3YuY3JsMAwGA1UdEwEB/wQCMAAwRQYDVR0gBD4w
    PDA6BgpghkgBhvhFAQc2MCwwKgYIKwYBBQUHAgEWHmh0dHBzOi8vd3d3LnJhcGlk
    c3NsLmNvbS9sZWdhbDANBgkqhkiG9w0BAQsFAAOCAQEASIna3IUV8qELG8iN74OI
    pi/spq/NbaWwEebOhblDbAtlQCQlmXpefhrDk2d39/Zu1miOlO8+f0dOWoHbaHck
    2EqC+nrxpJPevVmXO/9XyLbbMX2XQWh55Ia8uMfo6OECOe7PXG2LOyrl5sdSDjx2
    xA865oZc0uOxWNq/znYrnT+O46PVZh9TbKWpjyaYwJ1STbCpZY9O7+Uetx7MwXx0
    7A2TJrh+ZXGSdhPebVLSjKkYpuMtg7v8eOwYoUVb3VZceZcu//uw27dIhb2Jpbk4
    RsdT86GWPDz7axZnWy1mbG/Xxocuhpa7gG63AR6NqtVWZdLvJyJfTCILZbkSyaXI
    Nw==
    -----END CERTIFICATE-----
    subject=/OU=GT22832445/OU=See www.rapidssl.com/resources/cps (c)15/OU=Domain Control Validated - RapidSSL(R)/CN=web.somesite.com
    issuer=/C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
    ---
    No client certificate CA names sent
    Server Temp Key: DH, 768 bits
    ---
    SSL handshake has read 3050 bytes and written 305 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
      Protocol  : TLSv1.2
      Cipher  : DHE-RSA-AES256-GCM-SHA384
      Session-ID: 9C903102A2B97FC8DE75179D5F82719A6F8E456634D65CC154DDFC2852E1423A
      Session-ID-ctx:
      Master-Key: D8A223291C29688FF4CA8F2C62D4EC3AE7A4FB8B1890F462F3867ABA4C0234CB7B33A5C44C093BB2B84D698976C69EF5
      Key-Arg  : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      TLS session ticket lifetime hint: 7200 (seconds)
      TLS session ticket:
      0000 - eb 26 50 98 58 00 71 21-bc d3 ff 5e fe 09 a6 65  .&P.X.q!...^...e
      0010 - 14 d7 e5 e2 36 2a e4 30-1b 50 b9 d4 e0 ac 4c 94  ....6*.0.P....L.
      0020 - dd 0b 77 10 1e 7a d0 55-7a 37 df 77 22 02 9b 0a  ..w..z.Uz7.w"...
      0030 - 0f e5 5d a1 4f 87 bd 05-d7 8b 51 9a 74 39 49 2b  ..].O.....Q.t9I+
      0040 - 02 02 3b dc 34 01 d1 23-91 4e 45 cd e9 44 3a 77  ..;.4..#.NE..D:w
      0050 - 9e e3 1a 99 95 00 a2 c8-62 cf b4 78 9c cb 11 93  ........b..x....
      0060 - e8 04 b4 98 94 17 a8 c2-11 a5 3a 64 6e 99 04 7b  ..........:dn..{
      0070 - eb cd 74 bc a9 dc a0 0c-55 79 11 c0 81 5c eb 2b  ..t.....Uy...\.+
      0080 - 8f 13 cb 57 af 37 27 58-d5 2f ee 9f 36 28 f5 11  ...W.7'X./..6(..
      0090 - d2 e9 cd 35 24 b5 5f 11-fa 6c 8b ee 88 18 0f 07  ...5$._..l......
    
      Start Time: 1437665169
      Timeout  : 300 (sec)
      Verify return code: 0 (ok)
    ---
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
    
     
  16. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page