The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Discussion in 'Security' started by sneader, Oct 14, 2014.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Mod Edit: Updated Response to Customers Posted Click Here

    [HR][/HR]

    I received an email from HostingSecList today:

    I thought I'd start up a thread here on cPanel, in case this turns into something we need to act upon.

    - Scott
     
  2. weetabix

    weetabix Well-Known Member

    Joined:
    Oct 26, 2006
    Messages:
    56
    Likes Received:
    1
    Trophy Points:
    8
  3. jimlongo

    jimlongo Well-Known Member

    Joined:
    Mar 20, 2008
    Messages:
    145
    Likes Received:
    2
    Trophy Points:
    18
  4. smoge

    smoge Well-Known Member

    Joined:
    Jul 2, 2004
    Messages:
    52
    Likes Received:
    0
    Trophy Points:
    6
    Proposed Fix
    (after investigating several sources)
    ========

    SSLv3 gets disabled by adding this to WHM » Service Configuration » Apache Configuration » Include Editor » Pre Main Include

    Code:
    SSLProtocol All -SSLv2 -SSLv3
    SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
    SSLHonorCipherOrder on

    This will work with Apache and also LiteSpeed, if you have this installed on your server.

    Update: Indications are if running Litespeed, needs latest applied, 4.2.17 or newer.

    Tests
    Test your web server for SSLv2
    https://www.ssllabs.com/ssltest/index.html

    What you are looking for is:
    TLS 1.2 Yes
    TLS 1.1 Yes
    TLS 1.0 Yes
    SSL 3 No
    SSL 2 No

    Good luck!

    Robert LeVine
    Linux Server and Application Support
    +1 855-LINUX55 (international toll free number)
    support@mysitegroup.com
     
    #4 smoge, Oct 15, 2014
    Last edited: Oct 15, 2014
  5. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    This will break Internet Explorer v6 clients from connecting via SSL (not that I'm complaining about making IE6 users go away!) Just making sure everyone is aware of that. Google is not suggesting that we disable SSLv3 completely just yet:

    and on another site, they write:

    Again, just making sure everyone is on the same page with regards to disabling SSLv3 via the suggested methods.

    - Scott
     
  6. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
     
  7. JamesOakley

    JamesOakley Well-Known Member

    Joined:
    Apr 15, 2011
    Messages:
    83
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Yes they are - and any SSL used by FTP, and Exim (465 and 587).

    Each of those comes with settings you can use to change the SSLCipherSuite, but I can't see (documented) any ways to change the SSLProtocol value for those processes.
     
  8. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    There is rumour that Firefox does not support TLS on any port that is not 443, any confirmations about that? Yes, i also think that that guy has some misconfiguration ( why thread ) and yes, it needs to be tested first.
     
  9. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
  10. gemby

    gemby Well-Known Member
    PartnerNOC

    Joined:
    Feb 16, 2002
    Messages:
    182
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Pula, Croatia
    cPanel Access Level:
    DataCenter Provider
    Here is much simpler tester as suggested by jamesoakley on some other forum...

    This one SHOULD NOT work:
    Code:
    echo -n |  openssl s_client -ssl3 -connect fqdn.server.com:port
    

    This one MUST work:
    Code:
    echo -n |  openssl s_client -tls1 -connect fqdn.server.com:port
    
     
  11. deka

    deka Member

    Joined:
    Jul 24, 2014
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    That is correct. FireFox cannot access cPanel, WHM or webmail secure ports when SSLv3 is disabled at WHM »Service Configuration »cPanel Web Services Configuration
     
  12. Bramus

    Bramus Member

    Joined:
    Jan 27, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    To fix this in WHM go to Service Configuration > cPanel Web Services Configuration and change the field "TLS/SSL Cipher List" from "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" to "ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP" (note the addition of :-SSLv3, including the colon)
     
  13. deka

    deka Member

    Joined:
    Jul 24, 2014
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    If you do that then all Firefox users will lose access to their cPanel control panels.
     
  14. JamesOakley

    JamesOakley Well-Known Member

    Joined:
    Apr 15, 2011
    Messages:
    83
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    But also, if you do that, you lose TLS1.0 and TLS1.1 as well, which knocks out lots of browsers (that, even on port 443, rely on those protocols).

    To disable SSLv3, without disabling any TLS protocols, I think you need access to the SSLProtocol setting (although I'd be delighted to be proved wrong), and that setting is not exposed for the cPanel web services, for Exim, or for the FTP server processes, in WHM.
     
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,381
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    This is the conclusion I also drew.

    You can disable SSLv3 (and SSLv2) protocols with dovecot, by editing the file /etc/dovecot/dovecot.conf and adding:

    Code:
    ssl_protocols = !SSLv2 !SSLv3
    
    above the ssl_cipher_list line. That seems to disable SSLv3 for dovecot. But the other services you mentioned, cPanel and Exim, the only configurable option seems to be do disable SSLv3 ciphers, which also disables TLS ciphers.

    I would also add, that if you manually edit the /etc/dovecot/dovecot.conf file and then make changes to the dovecot configuration in your WHM, then these manual changes will likely be lost.
     
  16. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    yeah I experienced the same when I tried that.

    This thread has a list of other web apps for disabling SSLv3 including dovecot, apache, haproxy etc at security - How do I patch/workaround SSLv3 POODLE vulnerability (CVE****-2014****-3566)? - Ask Ubuntu (yeah Ubuntu but should apply to usage for CentOS too ?)

    For non-whm/cpanel, I just updated to OpenSSL 1.0.1j which fixes this or patch OpenSSL 1.0.1i as I use Nginx with static compiled OpenSSL. For WHM/Cpanel, need to wait for Redhat/CentOS updated OpenSSL 1.0.1j equivalent ? Guess the next version of system OpenSSL to look for would be OpenSSL 1.0.1e-16.el6_5.16
     
  17. JamesOakley

    JamesOakley Well-Known Member

    Joined:
    Apr 15, 2011
    Messages:
    83
    Likes Received:
    2
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    I think OpenSSL 1.0.1j at best mitigates it, but perhaps I've misunderstood.
     
  18. Bramus

    Bramus Member

    Joined:
    Jan 27, 2014
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    sslscan confirms ... all ciphers are rejected after activating it :(
     
  19. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I know there is talk about OpenSSL 1.0.1j here, but for any that missed it:

    See https://www.openssl.org/news/secadv_20141015.txt

     
  20. eva2000

    eva2000 Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    322
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Brisbane, Australia
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yup if you need SSLv3 enabled, OpenSSL 1.0.1j and TLS_FALLBACK_SCSV is needed
     
Loading...

Share This Page