But TLS_FALLBACK_SCSV only prevents forced downgrades, and I'm pretty sure that's not the only vector that makes SSLv3 problematic.
So what's the immediate recommendation for WHM users?
Change the apache cipher entry to - ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
Apache won't need rebuilding right?
Change the apache cipher entry to - ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
Apache won't need rebuilding right?
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the pre_main_global.conf file:
SSLProtocol ALL -SSLv2 -SSLv3
and restart Apache.
That protects Apache, but not Exim, Dovecot, PureFTPD, ProFTPD or the cPanel processes themselves. Nobody's yet proposed a way to do those that doesn't also catch too much (although note the Dovecot remark earlier in this thread).
SSLProtocol ALL -SSLv2 -SSLv3
and restart Apache.
That protects Apache, but not Exim, Dovecot, PureFTPD, ProFTPD or the cPanel processes themselves. Nobody's yet proposed a way to do those that doesn't also catch too much (although note the Dovecot remark earlier in this thread).
As advised by cPanel staff:
============================
In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure.
https://community.qualys.com/blogs/...-apache-nginx-and-openssl-for-forward-secrecy
These ciphers can be configured for Apache as noted from the article via WHM > Service Configuration > Apache Configuration > Global Configuration. This will NOT work with cPanel/WHM and will break its SSL service. This cipher may also remove the issue with Forward Secrecy in most cases
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
Please note the cipher itself does not completely disable SSL3. You also cannot remove the SSL3 Protocol Support from the cPanel/WHM Services unfortunately. Also you should not alter the default ciphers for cPanel/WHM services at this time either as using anything that strips away SSL3/TLS 1.0 support will cause this to break due to they way its designed unfortunately.
To disable the SSL2 and SSL3 protocols in Apache, you can copy your Apache version's "main.default" file over to "main.local", and make the adjustments on the main.local file. You can find your Apache version by running "httpd -v".
Apache 2.2
cp /var/cpanel/templates/apache2_2/main.default /var/cpanel/templates/apache2_2/main.local
Apache 2.4
cp /var/cpanel/templates/apache2_4/main.default /var/cpanel/templates/apache2_4/main.local
You then want to look for the section that looks like this.
[% IF supported.mod_ssl -%]
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
And change it to add the following two things right after the [% IF supported.mod_ssl -%]
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
An example of how it should look is below.
[% IF supported.mod_ssl -%]
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Then you can save the file, rebuild the configuration and restart Apache.
/scripts/rebuildhttpdconf
service httpd restart
This should remove the SSL3 protocol support from your server. You can test this on Qualsys to see the results.
http://ssllabs.com/ssltest/analyze.html
============================
In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure.
https://community.qualys.com/blogs/...-apache-nginx-and-openssl-for-forward-secrecy
These ciphers can be configured for Apache as noted from the article via WHM > Service Configuration > Apache Configuration > Global Configuration. This will NOT work with cPanel/WHM and will break its SSL service. This cipher may also remove the issue with Forward Secrecy in most cases
EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS
Please note the cipher itself does not completely disable SSL3. You also cannot remove the SSL3 Protocol Support from the cPanel/WHM Services unfortunately. Also you should not alter the default ciphers for cPanel/WHM services at this time either as using anything that strips away SSL3/TLS 1.0 support will cause this to break due to they way its designed unfortunately.
To disable the SSL2 and SSL3 protocols in Apache, you can copy your Apache version's "main.default" file over to "main.local", and make the adjustments on the main.local file. You can find your Apache version by running "httpd -v".
Apache 2.2
cp /var/cpanel/templates/apache2_2/main.default /var/cpanel/templates/apache2_2/main.local
Apache 2.4
cp /var/cpanel/templates/apache2_4/main.default /var/cpanel/templates/apache2_4/main.local
You then want to look for the section that looks like this.
[% IF supported.mod_ssl -%]
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
And change it to add the following two things right after the [% IF supported.mod_ssl -%]
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
An example of how it should look is below.
[% IF supported.mod_ssl -%]
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Then you can save the file, rebuild the configuration and restart Apache.
/scripts/rebuildhttpdconf
service httpd restart
This should remove the SSL3 protocol support from your server. You can test this on Qualsys to see the results.
http://ssllabs.com/ssltest/analyze.html
I can confirm this from firsthand experience. I disabled SSL3 last night and got "locked" out of WHM from Firefox, my default browser, with the following error:
Code:
An error occurred during a connection to name.hostname.com:2087. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)- - - Updated - - -
Yes. I got locked out of WHM last night through Firefox after I disabled SSL3 server-side. Chrome had no problem connecting. Unfortunately, Chrome is not my browser of choice....
You can resolve this from the command line by modifying or removing the ssl options from the file /var/cpanel/conf/cpsrvd/ssl_socket_args and restarting cpanel - /etc/init.d/cpanel restart
Wouldn't what you're suggesting:
1. Disable SSL logins to cPanel/WHM?
2. Be overwritten when cPanel updates?
- - - Updated - - -
Still waiting for OpenSSL 1.0.1j to be made available through the CentOS repos. I tried searching/asking on the CentOS forum, but it keeps timing out. Because it's generally not advised by cPanel to update outside the vendor provided repos, I'll wait, I guess. I just hope CentOS doesn't drag their feet on this.
Yes, we have to wait as no fix/patch been issued yet to resolve the cPanel services problem. You can however protect Apache from the vulnerability.
In WHM at:
Home » Service Configuration » Apache Configuration » Include Editor » Pre Main Include (pre_main_global.conf)
Enter:
SSLProtocol ALL -SSLv2 -SSLv3
Save and restart Apache to complete.
If I understood this vuln. properly and based on what I had read at:
https://www.openssl.org/~bodo/ssl-poodle.pdf
The issue primarily lies with the client. Having SSL3 enabled on the server will not necessarily allow anonymous hacker to gain access to the server. Further, for this attack to work, both client and server must have SSLv3 enabled and the attacker must upload a file to the server so they can force the client connection to downgrade and attempt to sniff the data.
I think there is much greater risk to the client than to servers and this is mostly browser issue.
https://www.openssl.org/~bodo/ssl-poodle.pdf
The issue primarily lies with the client. Having SSL3 enabled on the server will not necessarily allow anonymous hacker to gain access to the server. Further, for this attack to work, both client and server must have SSLv3 enabled and the attacker must upload a file to the server so they can force the client connection to downgrade and attempt to sniff the data.
I think there is much greater risk to the client than to servers and this is mostly browser issue.
No. In fact by default the /var/cpanel/conf/cpsrvd/ssl_socket_args file is empty or missing by default. By default it would appear that cPanel loads all ciphers. This file just specifies what ciphersuites it will use if it is defined. That's why if you put -SSLv3 in the cPanel/WHM CipherSuite, then FireFox won't load the WHM.
Not sure, but probably. cPanel has moved away from doing things from a command-line interface requiring you to make all of your changes through the cPanel or WHM interface, to make sure it's kosher. That's fine if you have 1 or 2 servers and can easily log into the WHM for each server. But if you're managing 50+ servers, logging into 50+ WHMs isn't ideal (and it's very, very time consuming).
In regards to this - I have tried this on several Centos 5 based cPanel servers and so far i haven't been able to fix the issue. Using the ssllabs.com test it still shows as having SSLv3 enabled. If i try setting the cipher suite to any of the above listed options Apache won't start - gives the following error in error_log
I have even tried copying the "working" entries to notepad and simply added the :-SSLv3 and it still fails to reload.
Any help would be appreciated...
In order to disable the protocol, add
Code:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder onIf you still have issues, copy your cipher-list here, as the problem could be that you have no valid cipher configured after you disable the SSLv2 and SSLv3 protocols.
OK upon further investigation I think i may have found the issue. Centos 5 only appears to be using OpenSSL 0.9.8 as its usual repo-based installation. By removing SSLv3 it appears that OpenSSL has No ciphers that can be used.
if i remove the -SSLv3 option i get the following
Please correct me if i am wrong but it appears that 0.9.8 doesn't have any ciphers at all that don't contain SSLv3 in the ident....
Code:
openssl ciphers -vYour current cipher list is limitting you to TLSv1.2 ciphers, which may not be included in 0.9.8. You'll probably need to expand your cipher list to include 1, and 1.1, which will likely be supported by your version.
Picking up on what several people have said in this thread (and this may help @rohroh1974): You shouldn't be changing the SSLCiphers at all. SSLProtocol is the only thing that needs changing (well, setting, since the default EasyApache httpd.conf doesn't include that property at all), to specify that SSLv3 is not to be used. That can go in one of the include files.
If you remove SSLv3 from the Ciphers list (which several people are suggesting) you will also disable TLS1.0 and TLS1.1. You need to leave SSLv3 enabled at the Cipher level, but disallow anyone to use it using the SSLProtocol declaration.
All of this still only applies to Apache itself.
If you remove SSLv3 from the Ciphers list (which several people are suggesting) you will also disable TLS1.0 and TLS1.1. You need to leave SSLv3 enabled at the Cipher level, but disallow anyone to use it using the SSLProtocol declaration.
All of this still only applies to Apache itself.
I agree; sorry my post was a bit criptic. There is a difference between protocols and ciphers. You only need to disable the protocol if you have a properly configured cipher list already (should not need -SSLv3).
Poodle Attack
Hi All
After running a test I need to disable Disable SSLv3 and use TLS 1.0 or higher -
How do I implement the required changes in WHM to I guess the areas below please (current settings shown)
WHM » Apache Configuration » TLS Cipher Suite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
WHM » FTP Server Configuration » TLS Cipher Suite
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
WHM » Mailserver Configuration » SSL Cipher List
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
WHM » Exim Configuration Manager » Advanced Editor » tls_require_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Any help gratefully received and if possible in very simple terms
Hi All
After running a test I need to disable Disable SSLv3 and use TLS 1.0 or higher -
How do I implement the required changes in WHM to I guess the areas below please (current settings shown)
WHM » Apache Configuration » TLS Cipher Suite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
WHM » FTP Server Configuration » TLS Cipher Suite
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
WHM » Mailserver Configuration » SSL Cipher List
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
WHM » Exim Configuration Manager » Advanced Editor » tls_require_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Any help gratefully received and if possible in very simple terms
I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.
Last edited by a moderator:
