SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

[WhiteDog]

*** I would advice anyone who reads this not to blindly apply configuration changes on their servers ***

My server is on CentOS 5.11 and has OpenSSL 0.9.8e.
If I apply the changes put out by cPanel for Apache:

SSLHonorCipherOrder On
SSLProtocol All -SSLv2 -SSLv3

Then sure, browsers are now always connecting using TLS and I get a pretty score on the sslabs test.

However, 2 major issues arose:
1. PayPal IPN pings towards my server are no longer comming through. It appears PayPal is unable to do a correct handshake with my server after this change. I don't blame them, It's most likely due to the OpenSSL version in CentOS 5.
2. A simple wget using https to my server now fails. Try this:

[email protected] [~]# wget -O /dev/null https://domain.com
--2014-10-18 12:41:52--  https://domain.com
Resolving domain.com... 1.2.3.4
Connecting to domain.com|1.2.3.4|:443... connected.
[B]Unable to establish SSL connection.[/B]

Some better instructions for CentOS 5.X that also cover the above situations would be greatly appreciated...

 

[jdlightsey]

CentOS 5 is limited to SSLv2, SSLv3 and TLSv1.0 as the available protocol list. You could try the other combinations RedHat is recommending, but they should all have the same effect of limiting CentOS 5 systems to the TLSv1.0 protocol.

https://access.redhat.com/solutions/1232413

Support for TLSv1 on the browser side is fairly good. The main outlier is IE6 where TLSv1 is supported but disabled by default, but IE6 is pretty rare now.

For wget and paypal, you may have the cipher string on your server limited in ways that make it impossible for these clients to negotiate a connection. The protocol and ciphers have to work together. Some of the very early recommendations that were passed around focused on the cipher list rather than the protocol list, but the TLSv1 protocol uses a nearly identical list of ciphers as SSLv3. Disabling all of the ciphers SSLv3 uses in the cipher list makes it very difficult for clients to connect to TLSv1.

It's difficult to give more specific suggestions without examining your system. cPanel's support department has been working with many customers to sort out the specific settings that will work best in their environment. I'd definitely suggest opening a ticket.

One truism to keep in mind about securing software and systems is that users will work around any roadblocks that are placed in front of them. You don't want to put roadblocks in place that encourage users to take even less secure paths to accomplish their goals. For instance, if the end result of disabling SSLv3 in IMAP is that your users switch to plaintext connections, your system and users have become less secure in the process.

 

[jdlightsey]

so for

/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args
/usr/lib/courier/etc/imapd
/usr/lib/courier/etc/imapd-ssl
/usr/lib/courier/etc/pop3d
/usr/lib/courier/etc/pop3d-ssl

if they do not exist create them ?

for dovecot i have 2 versions ?

You'll only have one daemon serving IMAP and POP3 connections. There are three different variations common on cPanel & WHM systems. Courier, Dovecot 1.2 and Dovecot 2.2.

You can tell which mail server your system is configured to use with this command:

rpm -qa | grep -E -i "(dovecot|courier-imap)"

For instance, if it says:

dovecot-2.2.13-1.cp1140.i386

You know the system is using Dovecot version 2.2.13, and you'll follow the steps for Dovecot 2.2.

The steps to configure the SSL protocols for IMAP services will be more or less identical once the new builds are tested and available.

 

[eva2000]

You'll only have one daemon serving IMAP and POP3 connections. There are three different variations common on cPanel & WHM systems. Courier, Dovecot 1.2 and Dovecot 2.2.

You can tell which mail server your system is configured to use with this command:

rpm -qa | grep -E -i "(dovecot|courier-imap)"

For instance, if it says:

dovecot-2.2.13-1.cp1140.i386

You know the system is using Dovecot version 2.2.13, and you'll follow the steps for Dovecot 2.2.

The steps to configure the SSL protocols for IMAP services will be more or less identical once the new builds are tested and available.

thanks for the clarification looks like dovecot 2.2

rpm -qa | grep -E -i "(dovecot|courier-imap)"
dovecot-2.2.13-1.cp1140

 

[myusername]

One truism to keep in mind about securing software and systems is that users will work around any roadblocks that are placed in front of them. You don't want to put roadblocks in place that encourage users to take even less secure paths to accomplish their goals. For instance, if the end result of disabling SSLv3 in IMAP is that your users switch to plaintext connections, your system and users have become less secure in the process.

This is a legendary quote. Lets not forget the goal here people. Lets do it right, but we're going to need cPanel's help here to make all the supported systems 'fixed.' Oh, and I hope you guys are in talks with Cloud Linux too, they definitely need to be in the loop. I love how these things come up at hosting conventions or cP conferences.

One thing I noticed was that opening a ticket was encouraged. In our case, I have asked our techs to not open tickets to lessen the load on cPanel techs, until we have an official patch or announcement, from cPanel, for this particular incident. The other reasons I asked our guys to do that was to 'not break' current systems, to avoid 'unpatching' and also have the ability to blame someone

Our critical users are already 'patched' but we're still waiting for word of what to do for our shared servers. i guess there is not a big demand to man in the middle a $5 shared account.

 

[keithl]

Hi,

alittle confused here as to the total solution. Im running redhat centos 6.5 and php 5.4 so what are we doing here:

Well in my case we've got two cPanel servers, one running 5.11 and the other using 6.5. In our case I've done the following changes and haven't seen any negative impact.

Within Apache Configuration > Include Editor > Pre Main Include > All Versions

I added :

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on

then within Apache Configuration > Global Configuration > SSL Cipher Suite

and changed the entry to :

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

The upshot of those two changes on both installations is to disable SSL v2 and v3 entirely.

On the 6.5 install, when I checked the result on ssllabs.com it flagged the fact that some of the cipher entries in TLS 1.2 include anonymous authentication. I suspect that was previously the case since I hadn't checked before, but decided to fix it at the same time. While the 5.11 installation doesn't support TLS 1.1 or 1.2, and therefore doesn't have that same issue, making the same changes on 5.11 works fine as I believe cPanel/Apache simply ignores the entries it doesn't support. But at least this means that if cPanel decide to finally deploy a newer build of OpenSSL to v5 installations, and with it support for TLS 1.1 and 1.2 then the settings will already be in place for it.

 

[durangod]

The reason i have not reported back on my ticket is because it turned out to be something they had to do themselves. So although they presented me with some instructions which i believe are already in the documentation my solution i dont think could be used by the masses. Seems my server gave them a bit of a fit, but i will tell you i have yet to deal with a tech that has been less than professional and very knowledgeable, i think they are awesome.

 

[vanessa]

All,

I've been repeatedly asked to post something about this to my site, so I did:

de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin

In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.

 

[kunnusingh]

Urgent: SSLv3 Disabled but Java Give Mismatch Error

We disabled SSLv3 on our server by using this code in pre_main_global but this code broke "Java 6u45" and show error "Protocol or cipher suite mismatch"

We use this code:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 -SSLv2 -SSLv3

Please advice because we use Java.

 

[kernow]

Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.

So nothing to do except sit back and wait? OK that's OK with me.

 

[JamesOakley]

All,

I've been repeatedly asked to post something about this to my site, so I did:

de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin

In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.

As has been said a few times in this thread, if people changes the Cipher lists to the settings you recommend, they'll also disabled TLS1.0 and TLS1.1 as well - which knocks out many, many browsers.

 

[kunnusingh]

Why both -SSLv2 -SSLv3 is not working and work only when I use -SSLv3 or -SSLv2

(Can't disable both at same time)

 

[eva2000]

reason why -SSLv3 doesn't work at cipher level is because OpenSSL tags TLSv1 as SSLv3 ciphers https://community.centminmod.com/threads/poodle-attacks-on-sslv3-vulnerability.1651/page-3#post-8189. So if you try to disable SSLv3 at cipher level, you end up disabling TLSv1 too.

Hence SSLv3 needs to be disabled at SSL protocol level only

list of TLSv1 ciphers

openssl ciphers -v 'TLSv1' | sort
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA128-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(128) Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA         SSLv3 Kx=DH       Au=None Enc=DES(56)   Mac=SHA1
ADH-RC4-MD5             SSLv3 Kx=DH       Au=None Enc=RC4(128)  Mac=MD5
ADH-SEED-SHA            SSLv3 Kx=DH       Au=None Enc=SEED(128) Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
AECDH-NULL-SHA          SSLv3 Kx=ECDH     Au=None Enc=None      Mac=SHA1
AECDH-RC4-SHA           SSLv3 Kx=ECDH     Au=None Enc=RC4(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
CAMELLIA128-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(128) Mac=SHA1
CAMELLIA256-SHA         SSLv3 Kx=RSA      Au=RSA  Enc=Camellia(256) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DH-DSS-AES128-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(128)  Mac=SHA1
DH-DSS-AES256-SHA       SSLv3 Kx=DH/DSS   Au=DH   Enc=AES(256)  Mac=SHA1
DH-DSS-CAMELLIA128-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA256-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-DSS-DES-CBC3-SHA     SSLv3 Kx=DH/DSS   Au=DH   Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC-SHA      SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(56)   Mac=SHA1
DH-DSS-SEED-SHA         SSLv3 Kx=DH/DSS   Au=DH   Enc=SEED(128) Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH       Au=DSS  Enc=Camellia(256) Mac=SHA1
DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
DHE-DSS-SEED-SHA        SSLv3 Kx=DH       Au=DSS  Enc=SEED(128) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DH-RSA-AES128-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(128)  Mac=SHA1
DH-RSA-AES256-SHA       SSLv3 Kx=DH/RSA   Au=DH   Enc=AES(256)  Mac=SHA1
DH-RSA-CAMELLIA128-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA256-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=Camellia(256) Mac=SHA1
DH-RSA-DES-CBC3-SHA     SSLv3 Kx=DH/RSA   Au=DH   Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC-SHA      SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(56)   Mac=SHA1
DH-RSA-SEED-SHA         SSLv3 Kx=DH/RSA   Au=DH   Enc=SEED(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
ECDH-ECDSA-RC4-SHA      SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-ECDSA-RC4-SHA     SSLv3 Kx=ECDH     Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
ECDHE-RSA-RC4-SHA       SSLv3 Kx=ECDH     Au=RSA  Enc=RC4(128)  Mac=SHA1
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
ECDH-RSA-RC4-SHA        SSLv3 Kx=ECDH/RSA Au=ECDH Enc=RC4(128)  Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EXP1024-DES-CBC-SHA     SSLv3 Kx=RSA(1024) Au=RSA  Enc=DES(56)   Mac=SHA1 export
EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=DES(56)   Mac=SHA1 export
EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=RC4(56)   Mac=SHA1 export
EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export
EXP-ADH-DES-CBC-SHA     SSLv3 Kx=DH(512)  Au=None Enc=DES(40)   Mac=SHA1 export
EXP-ADH-RC4-MD5         SSLv3 Kx=DH(512)  Au=None Enc=RC4(40)   Mac=MD5  export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-DH-DSS-DES-CBC-SHA  SSLv3 Kx=DH/DSS   Au=DH   Enc=DES(40)   Mac=SHA1 export
EXP-DH-RSA-DES-CBC-SHA  SSLv3 Kx=DH/RSA   Au=DH   Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
PSK-RC4-SHA             SSLv3 Kx=PSK      Au=PSK  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
SEED-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=SEED(128) Mac=SHA1
SRP-3DES-EDE-CBC-SHA    SSLv3 Kx=SRP      Au=SRP  Enc=3DES(168) Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
SRP-DSS-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=3DES(168) Mac=SHA1
SRP-DSS-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(128)  Mac=SHA1
SRP-DSS-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=DSS  Enc=AES(256)  Mac=SHA1
SRP-RSA-3DES-EDE-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=3DES(168) Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1

 

[deka]

I added :

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on

I am also using the same cipher suite taken from here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

If you read the whole page, the recommendation is to remove RC4 a long with some other great tips. The above read is a excellant resource, proof read by a cryptographer listed in the credits.

 

[jack01]

Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.

 

[vanessa]

Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.

Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.

 

[JamesOakley]

Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.

Because most of the instructions on here are plain wrong, advising disabling sslv3 at the cipher level instead of at the protocol level. Cpanel gives a complete interface to set all the most commonly needed settings for these services, but the sslprotocol setting is not currently exposed.

 

[vanessa]

Because most of the instructions on here are plain wrong, advising disabling sslv3 at the cipher level instead of at the protocol level. Cpanel gives a complete interface to set all the most commonly needed settings for these services, but the sslprotocol setting is not currently exposed.

Check the link I posted previously. Some involve editing the cipher line because the specific services in question, which are third-party to cPanel, don't have protocol-level definitions. That is not something cPanel has control over. The instructions I posted are correct and verified by cPanel staff.

 

[jack01]

Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.

Why is it cPanel's responsibility to do this for any service other than cPanel/WHM itself? There are numerous instructions here on how to disable SSLv3 across the board.

I asked basically because:

As the response from tech support indicates, you can manually force a different protocol list into every service provided by cPanel & WHM. I wouldn't recommend going this route unless you must reconfigure your services immediately (PCI compliance, for instance.) The POODLE attack is very real, but since it's a man in the middle attack like Crime, Beast and SSLStrip, it's unlikely to be widespread in the way HeartBleed and ShellShock were. The threat from POODLE is quite similar to the earlier man in the middle attacks against SSL. The threat of a POODLE attack is also vastly lower than the threat caused by sending data over plaintext connections.

The development team is working on changes to all supported cPanel & WHM releases to make the SSL protocol list default to secure settings and to make reconfiguration of the protocol list possible using the WHM interfaces. If you do reconfigure services manually as the tech support response indicates, you'll want to undo the changes once our fixes are available. Failing to remove these types of customizations when they are no longer needed increases the likelihood that the server will miss updates in the future. Many of the workaround available for existing builds override cPanel & WHM's ability to update the configuration files.

I'm working with our documentation team to get full details about how the cipher list and protocol list can be configured for all the services managed by cPanel & WHM into our documentation site. The documentation will be updated to once the new builds are available. I'll add a link to this threat once the documentation is online.

Unless you have an immediate requirement to update the protocol list though, I'd recommend waiting for the new cPanel & WHM builds that will default to secure SSL protocol settings.

So what is the harm in trying to find out the likely timescale for this? Chill.

 

[JamesOakley]

Check the link I posted previously. Some involve editing the cipher line because the specific services in question, which are third-party to cPanel, don't have protocol-level definitions. That is not something cPanel has control over. The instructions I posted are correct and verified by cPanel staff.

I agree entirely that if cPanel uses a third party service, and that service does not provide a way to configure the SSLProtocol, then cPanel cannot expose a setting that does not exist. (Unless, of course, they wish to compile these third party services themselves, building in that extra setting - for the last few releases, all those third party services have come through cPanel's own RPM mechanism for exactly this reason).

However, just because the SSLProtocol cannot be set, that doesn't then mean that changing the Cipher Suite becomes the correct answer. Because TLS1.0 and TLS1.1 are seen as using SSLv3 ciphers (without themselves being vulnerable to the poodle - they are TLS, after all), they would all be blocked. Anyone who restricted SSLv3 at the cipher level would find many more browsers shut out than just IE6 on Windows XP.

Just taking the relatively small list of browser tested by SSLLabs, the following would all be unnecessarily blocked from connecting to a site if the SSLv3 cipher was removed. There are, of course, many more. (I'm already seeing people saying that they're having trouble connecting to remote services from a JVM client, and I suspect it's because they've blocked too much).

(Of course, it may be that someone regards the risks of this so highly that they'd rather shut out all these clients than take the security risk, but that's a decision that only the server administrator can take - they need to be aware of the price before they go down this route).

• Android 2.3.7 No SNI 2 TLS 1.0
• Android 4.0.4 TLS 1.0
• Android 4.1.1 TLS 1.0
• Android 4.2.2 TLS 1.0
• Android 4.3 TLS 1.0
• BingBot Dec 2013 No SNI 2 TLS 1.0
• BingPreview Jun 2014 TLS 1.0
• Firefox 24.2.0 ESR / Win 7 TLS 1.0
• Googlebot Jun 2014 TLS 1.0
• IE 7 / Vista TLS 1.0
• IE 8 / XP No FS 1 No SNI 2 TLS 1.0
• IE 8-10 / Win 7 R TLS 1.0
• IE Mobile 10 / Win Phone 8.0 TLS 1.0
• Java 6u45 No SNI 2 TLS 1.0
• Java 7u25 TLS 1.0
• OpenSSL 0.9.8y TLS 1.0
• Safari 5.1.9 / OS X 10.6.8 TLS 1.0
• Safari 6.0.4 / OS X 10.8.4 R TLS 1.0

I've no intention of making this personal, Vanessa, since the same advice (block SSLv3 from the cipher list) is being given by many, many people. But I think people here would rather have a member of the cPanel team who are looking into POODLE come into this thread and confirm something as the right method, than have a general claim that "cPanel staff have looked into it and confirmed it's right".

Is there any chance you could contact those members of the cPanel staff and invite them to add their own comment to this thread? Would you mind letting us know who, at cPanel, has verified this to be the correct method? Again - I only ask because the advice is being given so frequently, and yet seems to be the wrong approach, not because I have an issue with you personally - you, like I, are trying to help.