SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
Mod Edit: Updated Response to Customers Posted Click Here

[HR][/HR]

I received an email from HostingSecList today:

SSL v3
Rumoured Vulnerability

According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.

Ongoing Discussion via WHT:

New SSL Vulnerability? - Vulnerabilities - Web Hosting Talk

More information will be sent out via HSL once the vulnerability is released tomorrow and we urge everyone to stay alert and be ready to patch whatever necessary.
I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon.

- Scott
 

smoge

Well-Known Member
Jul 2, 2004
52
0
156
Proposed Fix
(after investigating several sources)
========

SSLv3 gets disabled by adding this to WHM » Service Configuration » Apache Configuration » Include Editor » Pre Main Include

Code:
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on

This will work with Apache and also LiteSpeed, if you have this installed on your server.

Update: Indications are if running Litespeed, needs latest applied, 4.2.17 or newer.

Tests
Test your web server for SSLv2
https://www.ssllabs.com/ssltest/index.html

What you are looking for is:
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

Good luck!

Robert LeVine
Linux Server and Application Support
+1 855-LINUX55 (international toll free number)
[email protected]
 
Last edited:

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
This will break Internet Explorer v6 clients from connecting via SSL (not that I'm complaining about making IE6 users go away!) Just making sure everyone is aware of that. Google is not suggesting that we disable SSLv3 completely just yet:

Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.
and on another site, they write:

As a server operator, it is possible to stop this attack by disabling SSLv3, or by disabling CBC-mode ciphers in SSLv3. However, the compatibility impact of this is unclear. Certainly, disabling SSLv3 completely is likely to break IE6. Some sites will be happy doing that, some will not.
Again, just making sure everyone is on the same page with regards to disabling SSLv3 via the suggested methods.

- Scott
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
Yes they are - and any SSL used by FTP, and Exim (465 and 587).

Each of those comes with settings you can use to change the SSLCipherSuite, but I can't see (documented) any ways to change the SSLProtocol value for those processes.
 

gemby

Well-Known Member
PartnerNOC
Feb 16, 2002
182
0
316
Pula, Croatia
cPanel Access Level
DataCenter Provider
Yes they are - and any SSL used by FTP, and Exim (465 and 587).

Each of those comes with settings you can use to change the SSLCipherSuite, but I can't see (documented) any ways to change the SSLProtocol value for those processes.
There is rumour that Firefox does not support TLS on any port that is not 443, any confirmations about that? Yes, i also think that that guy has some misconfiguration ( why thread ) and yes, it needs to be tested first.
 

gemby

Well-Known Member
PartnerNOC
Feb 16, 2002
182
0
316
Pula, Croatia
cPanel Access Level
DataCenter Provider
Here is much simpler tester as suggested by jamesoakley on some other forum...

This one SHOULD NOT work:
Code:
echo -n |  openssl s_client -ssl3 -connect fqdn.server.com:port

This one MUST work:
Code:
echo -n |  openssl s_client -tls1 -connect fqdn.server.com:port
 

deka

Member
Jul 24, 2014
17
0
1
cPanel Access Level
Root Administrator
There is rumour that Firefox does not support TLS on any port that is not 443, any confirmations about that?
That is correct. FireFox cannot access cPanel, WHM or webmail secure ports when SSLv3 is disabled at WHM »Service Configuration »cPanel Web Services Configuration
 

Bramus

Member
Jan 27, 2014
6
0
1
cPanel Access Level
Root Administrator
We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
 

deka

Member
Jul 24, 2014
17
0
1
cPanel Access Level
Root Administrator
To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
If you do that then all Firefox users will lose access to their cPanel control panels.
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
But also, if you do that, you lose TLS1.0 and TLS1.1 as well, which knocks out lots of browsers (that, even on port 443, rely on those protocols).

To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,983
218
343
cPanel Access Level
Root Administrator
To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
This is the conclusion I also drew.

You can disable SSLv3 (and SSLv2) protocols with dovecot, by editing the file /etc/dovecot/dovecot.conf and adding:

Code:
ssl_protocols = !SSLv2 !SSLv3
above the ssl_cipher_list line. That seems to disable SSLv3 for dovecot. But the other services you mentioned, cPanel and Exim, the only configurable option seems to be do disable SSLv3 ciphers, which also disables TLS ciphers.

I would also add, that if you manually edit the /etc/dovecot/dovecot.conf file and then make changes to the dovecot configuration in your WHM, then these manual changes will likely be lost.
 

eva2000

Well-Known Member
Aug 14, 2001
339
16
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
But also, if you do that, you lose TLS1.0 and TLS1.1 as well, which knocks out lots of browsers (that, even on port 443, rely on those protocols).

To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
yeah I experienced the same when I tried that.

This thread has a list of other web apps for disabling SSLv3 including dovecot, apache, haproxy etc at security - How do I patch/workaround SSLv3 POODLE vulnerability (CVE****-2014****-3566)? - Ask Ubuntu (yeah Ubuntu but should apply to usage for CentOS too ?)

For non-whm/cpanel, I just updated to OpenSSL 1.0.1j which fixes this or patch OpenSSL 1.0.1i as I use Nginx with static compiled OpenSSL. For WHM/Cpanel, need to wait for Redhat/CentOS updated OpenSSL 1.0.1j equivalent ? Guess the next version of system OpenSSL to look for would be OpenSSL 1.0.1e-16.el6_5.16
 

sneader

Well-Known Member
Aug 21, 2003
1,178
57
178
La Crosse, WI
cPanel Access Level
Root Administrator
I know there is talk about OpenSSL 1.0.1j here, but for any that missed it:

See https://www.openssl.org/news/secadv_20141015.txt

SSL 3.0 Fallback protection
===========================

Severity: Medium

OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.

Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).

OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf

Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.