The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSLv2 on 2083 and 2087

Discussion in 'General Discussion' started by handsonhosting, Jul 26, 2010.

  1. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Hi Folks,

    This is a continuation of a thread regarding the port 2077 and 2078 (http://forums.cpanel.net/f5/cpdavd-forced-sslv3-85161-p2.html). The patches have been applied and for some reason the 2083 and 2087 are now reporting that they can connect with SSLv2 instead of only with SSLv3.

    I have duplicated this on a number of machines. The SSLv2 connection does not appear to be as a result of implementing the patch for the 2078 port.


    On the Global Configuration for Apache the SSL Cipher Suite has the following:
    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:+SSLv3:+TLSv1:RC4+RSA:+HIGH:+MEDIUM

    SSLv2 is marked to never connect. While this works fine for various other ports (443 etc), it does not seem to follow over on the 2083 and 2087 ports.

    Tested and duplicated using the following line (both on the machine, and from a remote machine):

    openssl s_client -host localhost -port 2083 -verify -debug -ssl2

    The response comes back with the Verify return code: 0 (ok) rather than a rejection.

    The only other thing that we do have enabled on the servers is a wildcard certificate, however I've also tested removing that certificate and leaving the standard cPanel self signed, but the results are the same.

    Anyone have any thoughts as to how to get 2083 and 2087 to only use SSLv3?

    Tested using the latest CURRENT and EDGE builds - same results on multiple machines.
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    As far as I can tell (and I'll admit to not being an expert in this) the SSLv2 is indeed disabled for ports 2083 and 2087. Here's the result of running your command against 11.25.1-BETA_47285

    Code:
    
    root@tilly [~]# openssl s_client -host localhost -port 2083 -verify -debug -ssl2
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    verify return:1
    13384:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:
    
    Compare that with trying to connect with SSLv3:

    Code:
    
    root@tilly [~]# openssl s_client -host localhost -port 2083 -verify -debug -ssl3
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
       i:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDrDCCAxWgAwIBAgIFAg96Z3wwDQYJKoZIhvcNAQEFBQAwgZkxCzAJBgNVBAYT
    AlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMRAwDgYDVQQK
    EwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJ0aWxseS5jcGFu
    ZWxxYS5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEB0aWxseS5jcGFuZWxxYS5jb20w
    HhcNMTAwMjEyMTUxMzQ4WhcNMTEwMjEyMTUxMzQ4WjCBmTELMAkGA1UEBhMCVVMx
    EDAOBgNVBAgTB1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEDAOBgNVBAoTB1Vu
    a25vd24xEDAOBgNVBAsTB1Vua25vd24xGzAZBgNVBAMTEnRpbGx5LmNwYW5lbHFh
    LmNvbTElMCMGCSqGSIb3DQEJARYWc3NsQHRpbGx5LmNwYW5lbHFhLmNvbTCBnzAN
    BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2PtnkeSYJMeLiRSy0Q4aZPcHPDerBEEC
    jY9PweyR+Q2lUDJslUwAjEXqS4u/nV/it11qEWlBrvJdWAfz8SvBxXvyiZu6xXF9
    6QO6M7p8g5MEFH5vPwVHrYzk/Wk2DuTccvRMbpNwYFmVZWkGnHmGZ5wg+xD9tORb
    TzBFlTJ4fQMCAwEAAaOB/TCB+jAdBgNVHQ4EFgQU00XCrpQ6FRa80+ddpn+sBXq0
    SbQwgcoGA1UdIwSBwjCBv4AU00XCrpQ6FRa80+ddpn+sBXq0SbShgZ+kgZwwgZkx
    CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du
    MRAwDgYDVQQKEwdVbmtub3duMRAwDgYDVQQLEwdVbmtub3duMRswGQYDVQQDExJ0
    aWxseS5jcGFuZWxxYS5jb20xJTAjBgkqhkiG9w0BCQEWFnNzbEB0aWxseS5jcGFu
    ZWxxYS5jb22CBQIPemd8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEA
    dNeCcvq9ZKgKpyrH3tNrISz7UtH8lnsDQsXIDtsAVY7KPeecEoU8JFgqdf35G/Vf
    8cbnl3GSucYTY0kn9hwZ0yIvv7XX9svZSefcGaFKH+8cA8WTSADtpVVwCGMR6NlJ
    3KFrgmCU3OB7BRvG5sw57+FnXPqlsl4/v9cRCWxZ++Q=
    -----END CERTIFICATE-----
    subject=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    issuer=/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=tilly.cpanelqa.com/emailAddress=ssl@tilly.cpanelqa.com
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1145 bytes and written 317 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    Secure Renegotiation IS supported
    Compression: zlib compression
    Expansion: zlib compression
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : AES256-SHA
        Session-ID: 40B9E9D5AF7C6489BD47EA0F59C411A8922DA45CB474EA89EC2AC516CD3442E8
        Session-ID-ctx: 
        Master-Key: E151B6B6857EC371A348DDACAFFBC13EE596C073A956AD9D933A0C370831F491ED95E38E43166904FE3128B5C9087156
        Key-Arg   : None
        Krb5 Principal: None
       Compression: 1 (zlib compression)
        Start Time: 1280237018
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    DONE
    
    When connecting via SSLv2 openssl returns an error versus negotiating the SSL/TLS handshake, which occurs when connecting via SSLv3 (and TLSv1). If my understanding of the above is incorrect please correct me.

    Please note that for the purposes of this test, the BETA version I used is the same as the latest EDGE build (no SSL related functions have changed in cpsrvd since the last EDGE).

    Thank you.
     
  3. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Hi Kenneth,

    Yes, your understanding is right. On SSLv2 it should not connect, and on SSLv3 it should display the connection information like you had.

    I've just updated another machine (11.25.1-E47233) to the latest edge build, but I"m still having the same issue. Other ports still blocked when trying with v2 but on 2083 and 2087 I can connect without a problem.

    Port 2083 and 2087 use the ciphers listed in WHM under the Service Configuration >> Apache Configuration >> Global Configuration > SSLCipherSuite

    Is that correct?

    I've tried setting that to the following ciphers;
    ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-SSLv3

    Notice that I not only killed SSLv2 but also SSLv3. It still lets me connect however. Even after rebuilding apache (and verified in the httpd.conf file there was only one reference to the SSLCipherSuite). I also restarted cpanel (for good measure) and still it would connect.

    So I guess now the question is, where is 2083 and 2087 getting their SSLCipherSuite instructions from as setting it to -SSLv3 should have killed the connection there too but it didn't.
     
  4. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Greetings handsonhosting,

    Thank you for that verification.

    No. That UI is for configuring Apache, not cPanel ;)

    Here is the default cipher suite used by cpsrvd

    Code:
    ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
    You can configure the cipher suite by modifying /usr/local/cpanel/Cpanel/SSLService.pm. You'll see the cipher suite string therein. You'll need to restart cPanel after modifying that file.

    Based upon your description please also verify that your cPanel system is configured to use the SSL Service provided in cpsrvd. You should have the following entry in /var/cpanel/cpanel.config:

    nativessl=1

    If that directive does not exist or is 0 (zero) then stunnel is being used instead to provide SSL support in cPanel.
     
  5. handsonhosting

    handsonhosting Well-Known Member

    Joined:
    Feb 17, 2002
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Omaha, NE
    cPanel Access Level:
    Root Administrator
    Hey Kenneth,

    Thanks for working through this with me. The nativessl is what tripped it all up.

    So I guess nativessl should be ON on the servers. Not sure why it was disabled.

    Again, thank you for working through this - one more thing to mark off my list of TO DO items!
     
  6. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    You're welcome. I'm glad it was something that simple :)
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,448
    Likes Received:
    194
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Important cPanel/WHM Version Number Designation Change

    Please Note: Important cPanel/WHM Version Number Designation Change

    As of July 28, 2010 the cPanel/WHM version number designations have been officially changed.

    Version 11.25.1 is now designated 11.28 and version 11.25.2 is now designated 11.30.

    These new changes were explained in some detail recently at the July 2010 - Quarterly Road map - Webinar direct from cPanel's PodCast Studio in Houston, Texas with speakers David Grega and Mario Rodriguez.

    An official press release about these changes is forthcoming and can be accessed at this link as soon as it's made available to the Forum Team:
    Important cPanel/WHM Version Number Designation Change (To be updated)

    This post serves to update users who are subscribed to threads (where this message is posted) looking forward to upcoming enhancements in future versions of cPanel.
     
Loading...

Share This Page