"Fix" should be used loosely here. They added support for TLS_FALLBACK_SCSV but are not addressing the SSLv3 protocol flaw:
This SSL 3.0 protocol flaw will not be addressed in a future update; it is recommended that users configure their applications to require at least TLS protocol version 1.0 for secure communication.
I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.Would be very nice for an official cPanel response ...
I have tried the below and when I run the test at ssllabs I get a message "Assessment failed: No secure protocols supported". I get this message before and after I do the below.
I am sure most of us would at least like to hear "something" from CPanel. Either they are looking into a fix, patch, etc...I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.
Disable the SSL3 protocol in Apache as mentioned already, then run SSL Labs test using your server hostname: name.domain.comThe only SSL connection is for WHM and Cpanel access.
On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).
The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example.
It's important to know that this flaw is most likely present in all servers and is not specific to the cPanel software. However, servers that currently function only because of SSL 3.0 fallback should be updated.
To accomplish this, please follow these steps. This does not appear to affect SSH and FTP services.
====
For Apache:
1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
If you are using CentOS/RHEL 5.x, add the following in the text box that appears:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1
4) Press the Update button and rebuild your Apache configuration.
This will disable SSLv3.0 on your server running Apache.
For LiteSpeed:
LiteSpeed has released version 4.2.18 to address this issue by using OpenSSL 1.0.1j and disabling SSLv3 by default. You can force an update by running this command:
# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18
====
For cpsrvd and cpdavd:
1. Create the following files if they do not already exist:
/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args
2. Add the following to those files:
SSL_version=TLSv1
Please note that forcing TLSv1 support in this way will also disable support for the newer TLSv1.1 and TLSv1.2 protocols on CentOS/RHEL 6 and this is the only option that WHM 11.44 supports to directly disable SSLv3. CentOS/RHEL 5 does not support the newer TLS protocols so limiting it to TLSv1.0 does not reduce the existing TLS protocol support. More complex protocol strings will work for cpdavd for all builds. The cpsrvd process in WHM 11.46 also supports complex protocol strings such as "SSL_version=SSLv23:!SSLv2:!SSLv3" which will preserve support for TLSv1.1 and TLSv1.2 on CentOS/RHEL 6. Any 11.44 systems only need to enable TLSv1 support using this method until a fix has been released for internal case 124993 that is open about this issue.
====
For Dovecot:
1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default
2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below:
# SSL ciphers to use
[%- IF ssl_cipher_list.defined %]
ssl_cipher_list = [% ssl_cipher_list %]
[%- ELSE %]
#ssl_cipher_list = ALL:!LOW:!SSLv2
[%- END %]
Add:
# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]
3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file
4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot'
====
For Courier:
There is currently no workaround at this time. We have an internal case open, 125369. We advise that you switch to Dovecot instead if you want to disable SSLv3.
====
For Exim:
1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor
2) At the top is SECTION: Config. Goto the end of that section and click the button "Add additional configuration setting". It will open two boxes above the button you clicked.
3) In the first blank box, put in:
openssl_options
In the blank box next to it, put in:
+no_sslv3
4) Goto the bottom of the page and hit the save button.
====
Thank you.
--
Thank you for using cPanel
Agreed. I'm sure they're working on it, I just hope they don't take too long.Y'know, it'd sure be nice for CPanel to issue an official bulletin on this.
yum clean all -q; yum list updates -q
Updated Packages
openssl.i686 1.0.1e-30.el6_5.2 updates
openssl-devel.i686 1.0.1e-30.el6_5.2 updates
yum clean all -q; yum list updates -q
Updated Packages
openssl.x86_64 1:1.0.1e-34.el7_0.6 updates
openssl-devel.x86_64 1:1.0.1e-34.el7_0.6 updates
openssl-libs.x86_64 1:1.0.1e-34.el7_0.6 updates
ssl - Does Firefox support TLS on non-standard ports? - Super UserI'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443.
While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use.
Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
however inside of etc dovecot config i did find this section on line 90For Dovecot:
1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default
2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below:
# SSL ciphers to use
[%- IF ssl_cipher_list.defined %]
ssl_cipher_list = [% ssl_cipher_list %]
[%- ELSE %]
#ssl_cipher_list = ALL:!LOW:!SSLv2
[%- END %]
Add:
# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]
3) Save the file and run '/usr/local/cpanel/scripts/builddovecotconf' to rebuilt the Dovecot configuration file
4) Restart Dovecot by running '/usr/local/cpanel/scripts/restartsrv_dovecot'
so im guessing i can use the if statement in the help post above in the same way ? like so# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]
This flaw exposed several shortcomings in the flexibility our interfaces allow in configuring SSL. In the past, we've mainly received requests to adjust the SSL cipher list to meet PCI compliance requirements. We've addressed those concerns by providing WHM interfaces to configure the cipher list for all SSL enabled services and setting services to use PCI compliant cipher settings by default.Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
For Apache:
1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
#1 The RPM update limits the ability of an attacker to force a protocol downgrade when the web browser initially connects to the server. It's definitely good to install this update.Hi,
alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:
1. updating centos
2. disabling ssl3
3. enabling tls
4. all the above
That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists.would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through![]()
so forThat has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists.
The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out.
http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
echo "SSL_version=SSLv23:!SSLv2:!SSLv3" > /var/cpanel/conf/cpsrvd/ssl_socket_args
echo "SSL_version=TLSv1" > /var/cpanel/conf/cpdavd/ssl_socket_args
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd-ssl
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d-ssl
ls -lah /var/cpanel/templates/dovecot*
/var/cpanel/templates/dovecot1.2:
total 52K
drwxr-xr-x 2 root root 4.0K Feb 26 2013 .
drwxr-xr-x 7 root root 4.0K Dec 22 2013 ..
-rw-r--r-- 1 root root 42K Feb 26 2013 main.default
/var/cpanel/templates/dovecot2.2:
total 64K
drwxr-xr-x 2 root root 4.0K Dec 22 2013 .
drwxr-xr-x 7 root root 4.0K Dec 22 2013 ..
-rw-r--r-- 1 root root 50K Dec 22 2013 main.default
Thread starter | Similar threads | Forum | Replies | Date |
---|---|---|---|---|
![]() |
SSL/TLS: Renegotiation DoS Vulnerability | Security | 3 | |
S | Is the vulnerability, CVE-2022-27666, in IPSec affecting cpanel and centos 7? | Security | 1 | |
S | Disable SSLv3 PureFTPd | Security | 1 | |
![]() |
CURL Error: sslv3 alert handshake failure | Security | 5 | |
V | SSL Problem - sslv3 alert handshake failure | Security | 4 |