"Fix" should be used loosely here. They added support for TLS_FALLBACK_SCSV but are not addressing the SSLv3 protocol flaw:
I would also like to see an official response, it seems like it would be so easy to break things if the settings are incorrectly changed.
I am wondering if I get the No secure protocols supported because I do not have any domains on my site with secure sites configured. The only SSL connection is for WHM and Cpanel access. Which I understand the apache fix mentioned here does not correct.
I am sure most of us would at least like to hear "something" from CPanel. Either they are looking into a fix, patch, etc...
Disable the SSL3 protocol in Apache as mentioned already, then run SSL Labs test using your server hostname: name.domain.com
Concerning PhilGlau's post above, can someone at cpanel confirm these steps should be applied to a CentOS 5 server? Will these steps from PhilGlau's post or the steps listed directly below cause IE6 to fail on SSL sites? (Sadly, lots of clients still use IE6...yes i know...)
To protect just apache, this would work? (Would this apply to whm logins on :2087?)
===
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the
pre_main_global.conf file:
SSLProtocol ALL -SSLv2 -SSLv3
and restart Apache.
===
Does cpanel plan to add a patch to add these protections per PhilGlau's post or must we manually add these to every server?
Per https://access.redhat.com/articles/1232123 , Red hat even says under Impact:
Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL.
Are there other exploits other than MitM attacks at the moment, which red hat says are fairly difficult to accomplish? Based on red hat's impact, should we wait for cpanel to release a patch to address these issues in apache, dovecoat, cpanel services, etc.? I will obviously update SSL on the system and restart apache to at least apply the current mitigation of the patch. The flaw is listed with a moderate rating on CentOS (redhat) 5 but an important rating for version 6 & 7 since there are other vulnerabilities with versions of SSL that are newer than 0.9.8
I look forward to your thoughts and comments. Thank you.
To protect just apache, this would work? (Would this apply to whm logins on :2087?)
===
That would remove TLS1.0 and TLS1.1 as well. Just add one line to the
pre_main_global.conf file:
SSLProtocol ALL -SSLv2 -SSLv3
and restart Apache.
===
Does cpanel plan to add a patch to add these protections per PhilGlau's post or must we manually add these to every server?
Per https://access.redhat.com/articles/1232123 , Red hat even says under Impact:
Exploiting this vulnerability is not easily accomplished. Man-in-the-middle attacks require large amounts of time and resources. While likelihood is low, Red Hat recommends implementing only TLS to avoid flaws in SSL.
Are there other exploits other than MitM attacks at the moment, which red hat says are fairly difficult to accomplish? Based on red hat's impact, should we wait for cpanel to release a patch to address these issues in apache, dovecoat, cpanel services, etc.? I will obviously update SSL on the system and restart apache to at least apply the current mitigation of the patch. The flaw is listed with a moderate rating on CentOS (redhat) 5 but an important rating for version 6 & 7 since there are other vulnerabilities with versions of SSL that are newer than 0.9.8
I look forward to your thoughts and comments. Thank you.
eva2000
Well-Known Member
updates for CentOS are upon us
CentOS 6.5 64bit
CentOS 7.0 64bit
CentOS 6.5 64bit
Code:
yum clean all -q; yum list updates -q
Updated Packages
openssl.i686 1.0.1e-30.el6_5.2 updates
openssl-devel.i686 1.0.1e-30.el6_5.2 updates
Code:
yum clean all -q; yum list updates -q
Updated Packages
openssl.x86_64 1:1.0.1e-34.el7_0.6 updates
openssl-devel.x86_64 1:1.0.1e-34.el7_0.6 updates
openssl-libs.x86_64 1:1.0.1e-34.el7_0.6 updatesI'm not buying the rumor that firefox doesn't use TLS on ports that aren't 443.
While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use.
Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
While disabling the sslv3 ciphers on WHMs end seems to break things, when I connect to WHM and view the connection security information in firefox, it reports that TLS is in use.
Urgency wise, I'm kinda waiting this one out to see how cPanel addresses it. Anyone using a modern browser really shouldn't be THAT concerned unless you're connecting to a service that only supports sslv3. Id be more worried about email clients than web browsers at this point. Just my two cents.
eva2000
Well-Known Member
Hi,
alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:
1. updating centos
2. disabling ssl3
3. enabling tls
4. all the above
thanks
regarding the instructions someone shared back on post 47:
i dont have this file or dir. all i have is dovecot and dict.sqlite inside of it
alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:
1. updating centos
2. disabling ssl3
3. enabling tls
4. all the above
thanks
regarding the instructions someone shared back on post 47:
i dont have this file or dir. all i have is dovecot and dict.sqlite inside of it
however inside of etc dovecot config i did find this section on line 90
so im guessing i can use the if statement in the help post above in the same way ? like so
Last edited:
This flaw exposed several shortcomings in the flexibility our interfaces allow in configuring SSL. In the past, we've mainly received requests to adjust the SSL cipher list to meet PCI compliance requirements. We've addressed those concerns by providing WHM interfaces to configure the cipher list for all SSL enabled services and setting services to use PCI compliant cipher settings by default.
The POODLE attack is focused on the way the SSLv3 protocol uses certain ciphers, rather than the ciphers themselves. The correct fix is to change the SSL protocol settings rather than the SSL cipher setting. Since this hasn't been requested in the past, we need to update the various WHM interfaces that allow specifying the SSL cipher list to also allow specifying the SSL protocol list.
As the response from tech support indicates, you can manually force a different protocol list into every service provided by cPanel & WHM. I wouldn't recommend going this route unless you must reconfigure your services immediately (PCI compliance, for instance.) The POODLE attack is very real, but since it's a man in the middle attack like Crime, Beast and SSLStrip, it's unlikely to be widespread in the way HeartBleed and ShellShock were. The threat from POODLE is quite similar to the earlier man in the middle attacks against SSL. The threat of a POODLE attack is also vastly lower than the threat caused by sending data over plaintext connections.
The development team is working on changes to all supported cPanel & WHM releases to make the SSL protocol list default to secure settings and to make reconfiguration of the protocol list possible using the WHM interfaces. If you do reconfigure services manually as the tech support response indicates, you'll want to undo the changes once our fixes are available. Failing to remove these types of customizations when they are no longer needed increases the likelihood that the server will miss updates in the future. Many of the workaround available for existing builds override cPanel & WHM's ability to update the configuration files.
I'm working with our documentation team to get full details about how the cipher list and protocol list can be configured for all the services managed by cPanel & WHM into our documentation site. The documentation will be updated to once the new builds are available. I'll add a link to this threat once the documentation is online.
Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.
you can also check your certs here for other validation.
geotrust and Rapidssl: https://ssltools.geotrust.com/checker/views/certCheck.jsp
Symantec: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
i ended up just doing this part of the instructions on this page, the rest of it i am going to wait also to see what cpanel sais we should do.
geotrust and Rapidssl: https://ssltools.geotrust.com/checker/views/certCheck.jsp
Symantec: https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp
i ended up just doing this part of the instructions on this page, the rest of it i am going to wait also to see what cpanel sais we should do.
#1 The RPM update limits the ability of an attacker to force a protocol downgrade when the web browser initially connects to the server. It's definitely good to install this update.
#2-4, The protocol setting should be one that enables all protocols and disables the SSLv2 and SSLv3 protocols. Although POODLE targets SSLv3, SSLv2 is also considered to be a poor choice.
The specific protocol setting is dependent on the service you're reconfiguring. Services are fairly consistent in the way the cipher list is specified, but this isn't the case with the protocol list. The settings support recommends have been checked to verify they function correctly in each service.
If your system doesn't have /var/cpanel/templates/dovecot2.2/main.default, you're likely on an older build that still uses Dovecot 1.2. The main.default template would be in a different directory in that case. If you open a ticket with our support department, they can help you make the changes.
eva2000
Well-Known Member
would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through 
That has come up quite a bit today as we were putting together the list of interfaces that changes need to be made in. I'm not certain whether it will get in with the initial fixes, but it's clear that WHM needs one place you can set the preferred defaults for the SSL cipher and protocol lists.would be nice to have a single WHM SSL management page which allows controlling SSL protocols, ciphers for all cpanel services Apache, mail etc instead of separate pages to go through
The cPanel knowledge base has an article now on adjusting SSL ciphers and SSL protocols for each SSL speaking service we configure. This article will be updated with details on the new configuration interfaces for the protocols once we have the new builds out.
http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
ticket submitted earlier today.. #5586713 i will keep you all posted.
@jd 500 error on your link
@jd 500 error on your link
eva2000
Well-Known Member
so for
/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args
/usr/lib/courier/etc/imapd
/usr/lib/courier/etc/imapd-ssl
/usr/lib/courier/etc/pop3d
/usr/lib/courier/etc/pop3d-ssl
if they do not exist create them ?
Code:
echo "SSL_version=SSLv23:!SSLv2:!SSLv3" > /var/cpanel/conf/cpsrvd/ssl_socket_args
echo "SSL_version=TLSv1" > /var/cpanel/conf/cpdavd/ssl_socket_args
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/imapd-ssl
echo "TLS_STARTTLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d
echo "TLS_PROTOCOL=TLSv1" > /usr/lib/courier/etc/pop3d-ssl
Code:
ls -lah /var/cpanel/templates/dovecot*
/var/cpanel/templates/dovecot1.2:
total 52K
drwxr-xr-x 2 root root 4.0K Feb 26 2013 .
drwxr-xr-x 7 root root 4.0K Dec 22 2013 ..
-rw-r--r-- 1 root root 42K Feb 26 2013 main.default
/var/cpanel/templates/dovecot2.2:
total 64K
drwxr-xr-x 2 root root 4.0K Dec 22 2013 .
drwxr-xr-x 7 root root 4.0K Dec 22 2013 ..
-rw-r--r-- 1 root root 50K Dec 22 2013 main.default| Thread starter | Similar threads | Forum | Replies | Date |
|---|---|---|---|---|
| J | Apache vulnerability in 2.4.49 | Security | 46 | |
| H | Vulnerability | Security | 3 | |
| S | Disable SSLv3 PureFTPd | Security | 1 | |
|
CURL Error: sslv3 alert handshake failure | Security | 5 | |
| V | SSL Problem - sslv3 alert handshake failure | Security | 4 |