SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

[jdlightsey]

Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.

I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.

 

[myusername]

I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.

Howdy-

Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.

 

[serlex]

Howdy-

Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.

Hi,

When can we expect an update to openssl package?

Regards,
Serlex

 

[waellol]

i have applied this code
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

i haven't changed any code to my site at all, now all my websites in this server are not working
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at ritsol.net Port 80

i have the following errors on error_log file
[Tue Oct 21 10:48:32 2014] [error] Premature end of script headers: index.php
[Tue Oct 21 10:48:32 2014] [error] File does not exist: /home/Domainname/public_html/support/500.shtml

 

[efheem]

Hello,

I have made the following changes suggested by cPanel and the cPanel proxy URL stopped working with the following error

---------------------------------------------------------------------------

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) Add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

4) Press the Update button and rebuild your Apache configuration.

---------------------------------------------------------------------------

[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] an unknown filter was not added: DEFLATE
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /favicon.ico
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()

Can someone advise?

Regards,
TuxSage

 

[drp]

Re: Rebuilding Apache after SSLv3 fix

Do I still need to adjust the cipher protocols now I've updated OpenSSL?

https://www.openssl.org/news/secadv_20141015.txt

 

[mathuaerknedam]

I see from the changelogs that 11.44.1.19 and 11.45.999.124 are out with numerous SSL changes, and the update of one of my installations from 11.44.1.18 to 11.44.1.19 is underway (2%). If the timeline on the CPanel Documentation Home is any indication, there aren't yet any docs on how to actually use the changes.

 

[mathuaerknedam]

Oh, and 11.46.09 is out (and includes the SSL changes), and is the new CURRENT.

 

[jdlightsey]

That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string.

We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality.

New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week.

 

[openaccess]

That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string.

We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality.

New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week.

Does this mean that if we are on RELEASE 11.44.1.19 (or any of the other latest releases) that we should still wait for an additional patch, or are we required to make the modifications ourselves? Should we open a ticket, or apply settings as suggested by support page mixed with the hints in this thread?
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Although the cPanel team may be working on improving the docs, will you just point us over there when it is considered finished? The docs look okay for now, but the main problem is that it doesn't clearly say "To fix POODLE by disabling SSLv3, use this specific code". Something specific like that would be very helpful instead of having to aggregate the info this thread (and other threads).

The changelog, here: https://documentation.cpanel.net/display/ALD/11.44+Change+Log
says:
Fixed case 125153: Add Support for disabling protocols via SSL_version in 11.44 possible.
Fixed case 125317: Add an option to configure SSL/TLS protocols for Exim.
Fixed case 125369: Fix Courier SSL protocol selection options.
Fixed case 126225: Add SSL protocol configuration for Dovecot.
Implemented case 125289: Update Apache configuration to allow specifying SSL protocols.

 

[JamesOakley]

In 11.44.1.19, on WHM » Service Configuration » Apache Configuration » Global Configuration, the field to set SSLProtocol has the label "SSL/TLS Cipher Suite". Is that a typo? (The expandable help section makes quite clear that this sets SSLProtocol).

 

[myusername]

Yes, it is a typo, but you know what it means.

The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth.

Anyways, it works! For web at least. Need to check the other areas.

 

[JamesOakley]

Two questions about 11.44.1.19

1. The ChangeLog says the SSLProtocol setting for Exim is now configurable through WHM. I could find all the other services, but I couldn't find Exim. Where do you set this?

2. I've heard a few people say that the FTP server services don't need their SSL protocols restricting. Why not?

- - - Updated - - -

Yes, it is a typo, but you know what it means.

The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth.

Anyways, it works! For web at least. Need to check the other areas.

It works. But, one thing I've found, is that there's a little orange warning icon next to the new setting in Apache. That means "this setting hasn't been applied yet", so although the default is to disable SSLv3, you have to go into the Global Configuration screen, scroll to the bottom, and save. Then click the button to rebuild Apache's configuration and restart Apache. Without that, the new SSLProtocol value has not been added to httpd.conf

 

[eva2000]

is SSLHonorCipherOrder still needed in pre global includes with Apache now having SSLProtocol option in 11.44.1.19 ?

 

[ramorse]

This has got to be one of the most confusing threads I've read in a while. I hope we get some definitive answers from Cpanel.

 

[porcupine]

This has got to be one of the most confusing threads I've read in a while. I hope we get some definitive answers from Cpanel.

Agreed, quite frankly I'm really disappointed in CPanel on this one, they fell behind, far behind here.

A few pages back, somebody quipped "why is it CPanel's responsibility to fix third party software" ... Well, it's their responsibility to fix anything their panel installs. This is commercial product, partner NOC's spend thousands/tens of thousands of dollars a month on this product, on the basis of making servers manageable by people who would not be otherwise capable (either by skill-set, by volume, or both).

As far as I'm concerned, CPanel should drop *everything* when there is an issue like this, it should take absolute priority over everything else.

 

[mathuaerknedam]

I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...)

/https://gist.github.com/anonymous/721e2c973aa5c073c0ff

 

[AlHawtin]

I too am disappointed with cPanel. I know enough about security to be dangerous and I also understand how difficult it is with the way that Apache and OpenSSL interact. But there is so much bad information in this thread and in cPanel postings. I too was trying out various configurations and managed to shut out a large number of clients while still scoring A on QualSys. Great to have a PCI site that many customers can't see. And no - it wasn't IE6 browsers only but Android as well.

So please cPanel. If you don't know what you are doing consult with some experts. Get it right, guide us properly and we can get this vulnerability put to rest!

 

[eva2000]

I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...)

/https://gist.github.com/anonymous/721e2c973aa5c073c0ff

yup can confirm the same - update cpanel folks !

 

[Infopro]

All,

I've been repeatedly asked to post something about this to my site, so I did:

de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin

In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.

I reverted all changes I made in recent days, made sure EasyApache was up to date, and updated cPanel.

Next, I came back to this post by Vanessa and went down her list to compare her suggested (on October 18) changes against where I'm at on my end. These suggested settings are in cPanel, right now.

Dear Vanessa, thank you for all of your contributions to this thread, and this forum.