Rebuilding Apache after SSLv3 fix

[drp]

Hi,

I'm attempting this fix for SSLv3 here: http://forums.cpanel.net/f185/sslv3...y-ckb-how-adjust-cipher-protocols-432641.html


On three of my servers, this has ran without any problems. However, I've got another one with a different hosting provider where I'm unable to rebuild Apache after the making the fix. The message I get is:

Apache restart failed. Unable to load pid from pid file and no httpd process found in process list.

If apache restart reported success but it failed soon after, it may be caused by oddities with mod_ssl.

You should run /usr/local/cpanel/scripts/ssl_crt_status as part of your troubleshooting process. Pass it --help for more details.

Also be sure to examine apache's various log files.
Apache Restart Output:

Log:
[Tue Oct 21 05:32:46.004569 2014] [:notice] [pid 17995] ModSecurity: LUA compiled version="Lua 5.1"
[Tue Oct 21 05:32:46.004574 2014] [:notice] [pid 17995] ModSecurity: LIBXML compiled version="2.9.1.20140611"
[Tue Oct 21 05:32:46.004578 2014] [:notice] [pid 17995] Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Tue Oct 21 05:32:47.002030 2014] [ssl:warn] [pid 17996] AH01906: myhostname.mydomain.com:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Oct 21 05:32:47.005662 2014] [mpm_prefork:notice] [pid 17996] AH00163: Apache/2.4.10 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 configured -- resuming normal operations
[Tue Oct 21 05:32:47.005707 2014] [core:notice] [pid 17996] AH00094: Command line: '/usr/local/apache/bin/httpd -D SSL'
[Tue Oct 21 05:33:27.339167 2014] [mpm_prefork:notice] [pid 17996] AH00169: caught SIGTERM, shutting down
[Tue Oct 21 05:33:29.000791 2014] [ssl:emerg] [pid 18050] AH01898: Unable to configure permitted SSL ciphers
[Tue Oct 21 05:33:29.001224 2014] [ssl:emerg] [pid 18050] SSL Library Error: error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command
[Tue Oct 21 05:33:29.001243 2014] [ssl:emerg] [pid 18050] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Running ssl_cert_status reveals nothing. I've then tried running /scripts/rebuildhttpdconf but all that gave me was similar to this: info [rebuildhttpdconf] Missing owner for domain, force lookup to root | SingleRack Hosting Solution, which I've now fixed.

What should my next fix be? If I roll back the SSLv3 fix, everything is hunky-dory again and Apache restarts fine.
Thanks,
Clive

 

[cPanelMichael]

Hello

Please post the output from:

rpm -qa | grep openssl
cat /etc/redhat-release

Also, post the contents from the /usr/local/apache/conf/includes/pre_main_global.conf file on your system.

Thank you.

 

[drp]

Thanks for your help. Here you go:

[email protected] [/]# rpm -qa | grep openssl
openssl-1.0.1e-30.el6_5.2.x86_64
openssl-devel-1.0.1e-30.el6_5.2.x86_64
[email protected] [/]# cat /etc/redhat-release
CentOS release 6.5 (Final)
[email protected] [/]#

and

[email protected] [/usr/local/apache/conf/includes]# vi pre_main_global.conf
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on
~

 

[drp]

While this doesn't fix the problem specifically, rather than make the SSLv3 fix in the link above, I've instead updated OpenSSL as fixed here: https://www.openssl.org/news/secadv_20141015.txt, thereby avoiding the problem caused by editing the pre_main_global include.
Thanks,
Clive

 

[cPanelMichael]

I am happy to see you were able to address the issue. Note that our documentation here describes the steps you can take to address the weakness:

How to Adjust Cipher Protocols

Thank you.