SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

scollins

Active Member
PartnerNOC
Jul 3, 2003
26
0
151
null
cPanel Access Level
DataCenter Provider

aklein

Registered
Nov 6, 2013
4
0
1
cPanel Access Level
Root Administrator
I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.

I am wondering if I get the No secure protocols supported because I do not have any domains on my site with secure sites configured. The only SSL connection is for WHM and Cpanel access. Which I understand the apache fix mentioned here does not correct.
 

JustSomeGuy

Active Member
Oct 13, 2007
31
0
56
I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.
I am sure most of us would at least like to hear "something" from CPanel. Either they are looking into a fix, patch, etc...
 

PhilGlau

Active Member
Nov 3, 2010
27
0
51
Here's the advice I got from cPanel when I opened a support ticket:

On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).

The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example.

It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. However, servers that currently function only because of SSL 3.0 fallback should be updated.

To accomplish this, please follow these steps. This does not appear to affect SSH and FTP services.

====

For Apache:

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

If you are using CentOS/RHEL 5.x, add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1

4) Press the Update button and rebuild your Apache configuration.

This will disable SSLv3.0 on your server running Apache.

For LiteSpeed:

LiteSpeed has released version 4.2.18 to address this issue by using OpenSSL 1.0.1j and disabling SSLv3 by default. You can force an update by running this command:

# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18

====

For cpsrvd and cpdavd:

1. Create the following files if they do not already exist:

/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args

2. Add the following to those files:

SSL_version=TLSv1

Please note that forcing TLSv1 support in this way will also disable support for the newer TLSv1.1 and TLSv1.2 protocols on CentOS/RHEL 6 and this is the only option that WHM 11.44 supports to directly disable SSLv3. CentOS/RHEL 5 does not support the newer TLS protocols so limiting it to TLSv1.0 does not reduce the existing TLS protocol support. More complex protocol strings will work for cpdavd for all builds. The cpsrvd process in WHM 11.46 also supports complex protocol strings such as "SSL_version=SSLv23:!SSLv2:!SSLv3" which will preserve support for TLSv1.1 and TLSv1.2 on CentOS/RHEL 6. Any 11.44 systems only need to enable TLSv1 support using this method until a fix has been released for internal case 124993 that is open about this issue.

====

For Dovecot:

1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default
2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below:

# SSL ciphers to use
[%- IF ssl_cipher_list.defined %]
ssl_cipher_list = [% ssl_cipher_list %]
[%- ELSE %]
#ssl_cipher_list = ALL:!LOW:!SSLv2
[%- END %]

Add:

# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]

3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file
4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot'

====

For Courier:

There is currently no workaround at this time. We have an internal case open, 125369. We advise that you switch to Dovecot instead if you want to disable SSLv3.

====

For Exim:

1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor
2) At the top is SECTION: Config. Goto the end of that section and click the button "Add additional configuration setting". It will open two boxes above the button you clicked.
3) In the first blank box, put in:

openssl_options

In the blank box next to it, put in:

+no_sslv3

4) Goto the bottom of the page and hit the save button.

====

Thank you.

--
Thank you for using cPanel
 

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
Concerning PhilGlau's post above, can someone at cpanel confirm these steps should be applied to a CentOS 5 server? Will these steps from PhilGlau's post or the steps listed directly below cause IE6 to fail on SSL sites? (Sadly, lots of clients still use IE6...yes i know...)

To protect just apache, this would work? (Would this apply to whm logins on :2087?)

===
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the

pre_main_global.conf file:

SSLProtocol ALL -SSLv2 -SSLv3

and restart Apache.
===


Does cpanel plan to add a patch to add these protections per PhilGlau's post or must we manually add these to every server?


Per https://access.redhat.com/articles/1232123 , Red hat even says under Impact:

Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL.

Are there other exploits other than MitM attacks at the moment, which red hat says are fairly difficult to accomplish? Based on red hat's impact, should we wait for cpanel to release a patch to address these issues in apache, dovecoat, cpanel services, etc.? I will obviously update SSL on the system and restart apache to at least apply the current mitigation of the patch. The flaw is listed with a moderate rating on CentOS (redhat) 5 but an important rating for version 6 & 7 since there are other vulnerabilities with versions of SSL that are newer than 0.9.8

I look forward to your thoughts and comments. Thank you.
 

eva2000

Well-Known Member
Aug 14, 2001
346
19
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
updates for CentOS are upon us

CentOS 6.5 64bit
Code:
yum clean all -q; yum list updates -q
Updated Packages
openssl.i686                                                                 1.0.1e-30.el6_5.2                                                           updates
openssl-devel.i686                                                           1.0.1e-30.el6_5.2                                                           updates
CentOS 7.0 64bit
Code:
yum clean all -q; yum list updates -q
Updated Packages
openssl.x86_64                                                               1:1.0.1e-34.el7_0.6                                                         updates
openssl-devel.x86_64                                                         1:1.0.1e-34.el7_0.6                                                         updates
openssl-libs.x86_64                                                          1:1.0.1e-34.el7_0.6                                                         updates
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
I'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443.

While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use.

Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
 

eva2000

Well-Known Member
Aug 14, 2001
346
19
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
I'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443.

While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use.

Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
ssl - Does Firefox support TLS on non-standard ports? - Super User
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
Hi,

alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:

1. updating centos
2. disabling ssl3
3. enabling tls
4. all the above

thanks

regarding the instructions someone shared back on post 47:

i dont have this file or dir. all i have is dovecot and dict.sqlite inside of it

For Dovecot:

1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default
2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below:

# SSL ciphers to use
[%- IF ssl_cipher_list.defined %]
ssl_cipher_list = [% ssl_cipher_list %]
[%- ELSE %]
#ssl_cipher_list = ALL:!LOW:!SSLv2
[%- END %]

Add:

# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]

3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file
4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot'
however inside of etc dovecot config i did find this section on line 90

# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
so im guessing i can use the if statement in the help post above in the same way ? like so

# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]
 
Last edited:

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
This flaw exposed several shortcomings in the flexibility our interfaces allow in configuring SSL. In the past, we've mainly received requests to adjust the SSL cipher list to meet PCI compliance requirements. We've addressed those concerns by providing WHM interfaces to configure the cipher list for all SSL enabled services and setting services to use PCI compliant cipher settings by default.

The POODLE attack is focused on the way the SSLv3 protocol uses certain ciphers, rather than the ciphers themselves. The correct fix is to change the SSL protocol settings rather than the SSL cipher setting. Since this hasn't been requested in the past, we need to update the various WHM interfaces that allow specifying the SSL cipher list to also allow specifying the SSL protocol list.

As the response from tech support indicates, you can manually force a different protocol list into every service provided by cPanel & WHM. I wouldn't recommend going this route unless you must reconfigure your services immediately (PCI compliance, for instance.) The POODLE attack is very real, but since it's a man in the middle attack like Crime, Beast and SSLStrip, it's unlikely to be widespread in the way HeartBleed and ShellShock were. The threat from POODLE is quite similar to the earlier man in the middle attacks against SSL. The threat of a POODLE attack is also vastly lower than the threat caused by sending data over plaintext connections.

The development team is working on changes to all supported cPanel & WHM releases to make the SSL protocol list default to secure settings and to make reconfiguration of the protocol list possible using the WHM interfaces. If you do reconfigure services manually as the tech support response indicates, you'll want to undo the changes once our fixes are available. Failing to remove these types of customizations when they are no longer needed increases the likelihood that the server will miss updates in the future. Many of the workaround available for existing builds override cPanel & WHM's ability to update the configuration files.

I'm working with our documentation team to get full details about how the cipher list and protocol list can be configured for all the services managed by cPanel & WHM into our documentation site. The documentation will be updated to once the new builds are available. I'll add a link to this threat once the documentation is online.

Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
you can also check your certs here for other validation.

geotrust and Rapidssl: https://ssltools.geotrust.com/checker/views/certCheck.jsp
Symantec: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

i ended up just doing this part of the instructions on this page, the rest of it i am going to wait also to see what cpanel sais we should do.

For Apache:

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
 

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
Hi,

alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:

1. updating centos
2. disabling ssl3
3. enabling tls
4. all the above
#1 The RPM update limits the ability of an attacker to force a protocol downgrade when the web browser initially connects to the server. It's definitely good to install this update.

#2-4, The protocol setting should be one that enables all protocols and disables the SSLv2 and SSLv3 protocols. Although POODLE targets SSLv3, SSLv2 is also considered to be a poor choice.

The specific protocol setting is dependent on the service you're reconfiguring. Services are fairly consistent in the way the cipher list is specified, but this isn't the case with the protocol list. The settings support recommends have been checked to verify they function correctly in each service.

If your system doesn't have /var/cpanel/templates/dovecot2.2/main.default, you're likely on an older build that still uses Dovecot 1.2. The main.default template would be in a different directory in that case. If you open a ticket with our support department, they can help you make the changes.
 

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through :)
That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists.

The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out.

http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
 

durangod

Well-Known Member
May 12, 2012
505
46
78
cPanel Access Level
Website Owner
ticket submitted earlier today.. #5586713 i will keep you all posted.

@jd 500 error on your link :(
 

eva2000

Well-Known Member
Aug 14, 2001
346
19
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists.

The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out.

http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
so for

/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args
/usr/lib/courier/etc/imapd
/usr/lib/courier/etc/imapd-ssl
/usr/lib/courier/etc/pop3d
/usr/lib/courier/etc/pop3d-ssl

if they do not exist create them ?

Code:
echo "SSL_version=SSLv23:!SSLv2:!SSLv3" > /var/cpanel/conf/cpsrvd/ssl_socket_args
echo "SSL_version=TLSv1" > /var/cpanel/conf/cpdavd/ssl_socket_args
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd-ssl
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d-ssl
for dovecot i have 2 versions ?
Code:
ls -lah /var/cpanel/templates/dovecot*
/var/cpanel/templates/dovecot1.2:
total 52K
drwxr-xr-x 2 root root 4.0K Feb 26  2013 .
drwxr-xr-x 7 root root 4.0K Dec 22  2013 ..
-rw-r--r-- 1 root root  42K Feb 26  2013 main.default

/var/cpanel/templates/dovecot2.2:
total 64K
drwxr-xr-x 2 root root 4.0K Dec 22  2013 .
drwxr-xr-x 7 root root 4.0K Dec 22  2013 ..
-rw-r--r-- 1 root root  50K Dec 22  2013 main.default