SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

AdamDresch

Well-Known Member
Jun 22, 2006
80
0
156
So what's the immediate recommendation for WHM users?
Change the apache cipher entry to - ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
Apache won't need rebuilding right?
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the pre_main_global.conf file:

SSLProtocol ALL -SSLv2 -SSLv3

and restart Apache.

That protects Apache, but not Exim, Dovecot, PureFTPD, ProFTPD or the cPanel processes themselves. Nobody's yet proposed a way to do those that doesn't also catch too much (although note the Dovecot remark earlier in this thread).
 
  • Like
Reactions: MaraBlue

ivan.g

Member
Mar 5, 2008
9
2
53
As advised by cPanel staff:
============================
In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure.

https://community.qualys.com/blogs/...-apache-nginx-and-openssl-for-forward-secrecy

These ciphers can be configured for Apache as noted from the article via WHM > Service Configuration > Apache Configuration > Global Configuration. This will NOT work with cPanel/WHM and will break its SSL service. This cipher may also remove the issue with Forward Secrecy in most cases

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS

Please note the cipher itself does not completely disable SSL3. You also cannot remove the SSL3 Protocol Support from the cPanel/WHM Services unfortunately. Also you should not alter the default ciphers for cPanel/WHM services at this time either as using anything that strips away SSL3/TLS 1.0 support will cause this to break due to they way its designed unfortunately.

To disable the SSL2 and SSL3 protocols in Apache, you can copy your Apache version's "main.default" file over to "main.local", and make the adjustments on the main.local file. You can find your Apache version by running "httpd -v".

Apache 2.2
cp /var/cpanel/templates/apache2_2/main.default /var/cpanel/templates/apache2_2/main.local

Apache 2.4
cp /var/cpanel/templates/apache2_4/main.default /var/cpanel/templates/apache2_4/main.local

You then want to look for the section that looks like this.

[% IF supported.mod_ssl -%]
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

And change it to add the following two things right after the [% IF supported.mod_ssl -%]

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

An example of how it should look is below.

[% IF supported.mod_ssl -%]
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [%
main.sslciphersuite.item.sslciphersuite %][% END %]
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/usr/local/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Then you can save the file, rebuild the configuration and restart Apache.

/scripts/rebuildhttpdconf
service httpd restart

This should remove the SSL3 protocol support from your server. You can test this on Qualsys to see the results.

http://ssllabs.com/ssltest/analyze.html
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
That is correct. FireFox cannot access cPanel, WHM or webmail secure ports when SSLv3 is disabled at WHM »Service Configuration »cPanel Web Services Configuration
I can confirm this from firsthand experience. I disabled SSL3 last night and got "locked" out of WHM from Firefox, my default browser, with the following error:

Code:
An error occurred during a connection to name.hostname.com:2087. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
Chrome had no problem accessing WHM. Clearly Mozilla needs to do more testing, and take into consideration the millions of cPanel/WHM users.

- - - Updated - - -

We are talking about apache and port 443. What about 2083 and 2087 2093 ports? Can somebody confirm that they are also affected?
Yes. I got locked out of WHM last night through Firefox after I disabled SSL3 server-side. Chrome had no problem connecting. Unfortunately, Chrome is not my browser of choice....
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
I can confirm this from firsthand experience. I disabled SSL3 last night and got "locked" out of WHM from Firefox, my default browser
You can resolve this from the command line by modifying or removing the ssl options from the file /var/cpanel/conf/cpsrvd/ssl_socket_args and restarting cpanel - /etc/init.d/cpanel restart
 

MaraBlue

Well-Known Member
May 3, 2005
332
2
168
Carmichael, CA
cPanel Access Level
Root Administrator
You can resolve this from the command line by modifying or removing the ssl options from the file /var/cpanel/conf/cpsrvd/ssl_socket_args and restarting cpanel - /etc/init.d/cpanel restart
Wouldn't what you're suggesting:

1. Disable SSL logins to cPanel/WHM?
2. Be overwritten when cPanel updates?

- - - Updated - - -

I know there is talk about OpenSSL 1.0.1j here, but for any that missed it:

See https://www.openssl.org/news/secadv_20141015.txt
Still waiting for OpenSSL 1.0.1j to be made available through the CentOS repos. I tried searching/asking on the CentOS forum, but it keeps timing out. Because it's generally not advised by cPanel to update outside the vendor provided repos, I'll wait, I guess. I just hope CentOS doesn't drag their feet on this.
 

deka

Member
Jul 24, 2014
17
0
1
cPanel Access Level
Root Administrator
Still waiting for OpenSSL 1.0.1j to be made available through the CentOS repos. I tried searching/asking on the CentOS forum, but it keeps timing out. Because it's generally not advised by cPanel to update outside the vendor provided repos, I'll wait, I guess. I just hope CentOS doesn't drag their feet on this.
Yes, we have to wait as no fix/patch been issued yet to resolve the cPanel services problem. You can however protect Apache from the vulnerability.

In WHM at:
Home » Service Configuration » Apache Configuration » Include Editor » Pre Main Include (pre_main_global.conf)

Enter:
SSLProtocol ALL -SSLv2 -SSLv3

Save and restart Apache to complete.
 

hicom

Well-Known Member
May 23, 2003
292
7
168
If I understood this vuln. properly and based on what I had read at:
https://www.openssl.org/~bodo/ssl-poodle.pdf

The issue primarily lies with the client. Having SSL3 enabled on the server will not necessarily allow anonymous hacker to gain access to the server. Further, for this attack to work, both client and server must have SSLv3 enabled and the attacker must upload a file to the server so they can force the client connection to downgrade and attempt to sniff the data.

I think there is much greater risk to the client than to servers and this is mostly browser issue.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,069
237
368
cPanel Access Level
Root Administrator
1. Disable SSL logins to cPanel/WHM?
No. In fact by default the /var/cpanel/conf/cpsrvd/ssl_socket_args file is empty or missing by default. By default it would appear that cPanel loads all ciphers. This file just specifies what ciphersuites it will use if it is defined. That's why if you put -SSLv3 in the cPanel/WHM CipherSuite, then FireFox won't load the WHM.

2. Be overwritten when cPanel updates?
Not sure, but probably. cPanel has moved away from doing things from a command-line interface requiring you to make all of your changes through the cPanel or WHM interface, to make sure it's kosher. That's fine if you have 1 or 2 servers and can easily log into the WHM for each server. But if you're managing 50+ servers, logging into 50+ WHMs isn't ideal (and it's very, very time consuming).
 

rohroh1974

Member
Jun 25, 2007
17
0
51
Yes, we have to wait as no fix/patch been issued yet to resolve the cPanel services problem. You can however protect Apache from the vulnerability.

In WHM at:
Home » Service Configuration » Apache Configuration » Include Editor » Pre Main Include (pre_main_global.conf)

Enter:
SSLProtocol ALL -SSLv2 -SSLv3

Save and restart Apache to complete.

In regards to this - I have tried this on several Centos 5 based cPanel servers and so far i haven't been able to fix the issue. Using the ssllabs.com test it still shows as having SSLv3 enabled. If i try setting the cipher suite to any of the above listed options Apache won't start - gives the following error in error_log

[error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
I have even tried copying the "working" entries to notepad and simply added the :-SSLv3 and it still fails to reload.

Any help would be appreciated...
 

TheRealWaldo

Registered
Oct 6, 2006
4
1
153
Any help would be appreciated...
In order to disable the protocol, add

Code:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
To your Pre VirtualHost Include instead of your Pre Main.

If you still have issues, copy your cipher-list here, as the problem could be that you have no valid cipher configured after you disable the SSLv2 and SSLv3 protocols.
 

rohroh1974

Member
Jun 25, 2007
17
0
51
In order to disable the protocol, add

Code:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
To your Pre VirtualHost Include instead of your Pre Main.

If you still have issues, copy your cipher-list here, as the problem could be that you have no valid cipher configured after you disable the SSLv2 and SSLv3 protocols.

OK upon further investigation I think i may have found the issue. Centos 5 only appears to be using OpenSSL 0.9.8 as its usual repo-based installation. By removing SSLv3 it appears that OpenSSL has No ciphers that can be used.

openssl ciphers -v 'ALL !ADH !NULL !EXPORT56 RC4+RSA +HIGH +MEDIUM -LOW -SSLv3 -SSLv2'
Error in cipher list
13370:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1188:
if i remove the -SSLv3 option i get the following

openssl ciphers -v 'ALL !ADH !NULL !EXPORT56 RC4+RSA +HIGH +MEDIUM -LOW -SSLv2 +TLSv1'
EXP-KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=MD5 export
EXP-KRB5-RC2-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=MD5 export
EXP-KRB5-DES-CBC-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=MD5 export
EXP-KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(40) Mac=SHA1 export
EXP-KRB5-RC2-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC2(40) Mac=SHA1 export
EXP-KRB5-DES-CBC-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=DES(40) Mac=SHA1 export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
KRB5-RC4-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=MD5
KRB5-RC4-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

Please correct me if i am wrong but it appears that 0.9.8 doesn't have any ciphers at all that don't contain SSLv3 in the ident....
 

TheRealWaldo

Registered
Oct 6, 2006
4
1
153
Code:
openssl ciphers -v
Will list all available ciphers in your installation.

Your current cipher list is limitting you to TLSv1.2 ciphers, which may not be included in 0.9.8. You'll probably need to expand your cipher list to include 1, and 1.1, which will likely be supported by your version.
 
  • Like
Reactions: MaraBlue

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
Picking up on what several people have said in this thread (and this may help @rohroh1974): You shouldn't be changing the SSLCiphers at all. SSLProtocol is the only thing that needs changing (well, setting, since the default EasyApache httpd.conf doesn't include that property at all), to specify that SSLv3 is not to be used. That can go in one of the include files.

If you remove SSLv3 from the Ciphers list (which several people are suggesting) you will also disable TLS1.0 and TLS1.1. You need to leave SSLv3 enabled at the Cipher level, but disallow anyone to use it using the SSLProtocol declaration.

All of this still only applies to Apache itself.
 
  • Like
Reactions: MaraBlue

TheRealWaldo

Registered
Oct 6, 2006
4
1
153
I agree; sorry my post was a bit criptic. There is a difference between protocols and ciphers. You only need to disable the protocol if you have a properly configured cipher list already (should not need -SSLv3).
 

pgolding

Member
Feb 13, 2012
15
0
51
cPanel Access Level
Website Owner
Poodle Attack

Hi All

After running a test I need to disable Disable SSLv3 and use TLS 1.0 or higher -

How do I implement the required changes in WHM to I guess the areas below please (current settings shown)

WHM » Apache Configuration » TLS Cipher Suite
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

WHM » FTP Server Configuration » TLS Cipher Suite
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3

WHM » Mailserver Configuration » SSL Cipher List
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

WHM » Exim Configuration Manager » Advanced Editor » tls_require_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Any help gratefully received and if possible in very simple terms :)
 

aklein

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.

As advised by cPanel staff:
============================
In regards to this vulnerability, which is still fairly fresh at this time, the following link from Qualsys indicates some good ciphers to use, and describes how to go about disabling the SSL3 Protocol. Please note these are quite strict, and could cause issues with older browsers, however they are generally more secure.

...
 
Last edited by a moderator: