SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
Any chance of a cPanel official update post, ideally with an e.t.a. for the next release which will remove SSL 3.0? Thanks.
I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
I sat down with the head of the team that is doing the updates this morning. He's expecting that the builds will be out tomorrow. All the expected caveats apply though. It's not possible to be 100% accurate when estimating the time for development and QA testing.
Howdy-

Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.
 

serlex

Well-Known Member
Oct 20, 2009
57
0
56
Howdy-

Do you know if that means we will have to visit new page settings in the WHM UI to apply the fixes, or are these going to be done automagically? There was some talk about a central page for the ciphers and such.
Hi,

When can we expect an update to openssl package?

Regards,
Serlex
 

waellol

Registered
Sep 11, 2014
1
0
1
cPanel Access Level
Root Administrator
i have applied this code
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

i haven't changed any code to my site at all, now all my websites in this server are not working
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4 Server at ritsol.net Port 80

i have the following errors on error_log file
[Tue Oct 21 10:48:32 2014] [error] Premature end of script headers: index.php
[Tue Oct 21 10:48:32 2014] [error] File does not exist: /home/Domainname/public_html/support/500.shtml
 

efheem

Member
Jun 2, 2014
5
0
1
cPanel Access Level
Root Administrator
Hello,

I have made the following changes suggested by cPanel and the cPanel proxy URL stopped working with the following error

---------------------------------------------------------------------------
Code:
1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) Add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

4) Press the Update button and rebuild your Apache configuration.
---------------------------------------------------------------------------

Code:
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] an unknown filter was not added: DEFLATE
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /favicon.ico
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()
[Tue Oct 21 12:29:21 2014] [error] (502)Unknown error 502: proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1)
[Tue Oct 21 12:29:21 2014] [error] [client 1xxx.xxx.xxx.xxx] proxy: Error during SSL Handshake with remote server returned by /500.shtml
[Tue Oct 21 12:29:21 2014] [error] proxy: pass request body failed to 127.0.0.1:2083 (127.0.0.1) from 1xxx.xxx.xxx.xxx ()

Can someone advise?

Regards,
TuxSage
 
Oct 12, 2009
22
2
53
I see from the changelogs that 11.44.1.19 and 11.45.999.124 are out with numerous SSL changes, and the update of one of my installations from 11.44.1.18 to 11.44.1.19 is underway (2%). If the timeline on the CPanel Documentation Home is any indication, there aren't yet any docs on how to actually use the changes.
 

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string.

We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality.

New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week.
 

openaccess

Active Member
Jan 22, 2006
32
0
156
That is correct. The interfaces that allow you to configure SSLCiphers for each subsystem should now have separate textboxes to enter the SSLProtocol string.

We're working on getting the online documentation and the information our support department is sharing updated to match the new functionality.

New builds for the 11.42 and 11.40 LTS releases are still in the works. They likely will not be completed, tested and released until next week.
Does this mean that if we are on RELEASE 11.44.1.19 (or any of the other latest releases) that we should still wait for an additional patch, or are we required to make the modifications ourselves? Should we open a ticket, or apply settings as suggested by support page mixed with the hints in this thread?
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

Although the cPanel team may be working on improving the docs, will you just point us over there when it is considered finished? The docs look okay for now, but the main problem is that it doesn't clearly say "To fix POODLE by disabling SSLv3, use this specific code". Something specific like that would be very helpful instead of having to aggregate the info this thread (and other threads).

The changelog, here: https://documentation.cpanel.net/display/ALD/11.44+Change+Log
says:
Fixed case 125153: Add Support for disabling protocols via SSL_version in 11.44 possible.
Fixed case 125317: Add an option to configure SSL/TLS protocols for Exim.
Fixed case 125369: Fix Courier SSL protocol selection options.
Fixed case 126225: Add SSL protocol configuration for Dovecot.
Implemented case 125289: Update Apache configuration to allow specifying SSL protocols.
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
In 11.44.1.19, on WHM » Service Configuration » Apache Configuration » Global Configuration, the field to set SSLProtocol has the label "SSL/TLS Cipher Suite". Is that a typo? (The expandable help section makes quite clear that this sets SSLProtocol).
 

myusername

Well-Known Member
PartnerNOC
Mar 6, 2003
693
1
168
chown -R us.*yourbase*
cPanel Access Level
DataCenter Provider
Twitter
Yes, it is a typo, but you know what it means.

The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth.

Anyways, it works! For web at least. Need to check the other areas.
 

JamesOakley

Well-Known Member
Apr 15, 2011
83
2
58
cPanel Access Level
Root Administrator
Two questions about 11.44.1.19

1. The ChangeLog says the SSLProtocol setting for Exim is now configurable through WHM. I could find all the other services, but I couldn't find Exim. Where do you set this?

2. I've heard a few people say that the FTP server services don't need their SSL protocols restricting. Why not?

- - - Updated - - -

Yes, it is a typo, but you know what it means.

The Devs are clearly working on how to fix it. Getting a pretty label might come down in RELEASE or STABLE, but I am sure they appreciate your citing of it. If you don't keep on them it might be one of those eternal misnomers like transfer/bandwidth.

Anyways, it works! For web at least. Need to check the other areas.
It works. But, one thing I've found, is that there's a little orange warning icon next to the new setting in Apache. That means "this setting hasn't been applied yet", so although the default is to disable SSLv3, you have to go into the Global Configuration screen, scroll to the bottom, and save. Then click the button to rebuild Apache's configuration and restart Apache. Without that, the new SSLProtocol value has not been added to httpd.conf
 

porcupine

Well-Known Member
PartnerNOC
Apr 18, 2002
74
0
306
Toronto, Ontario
cPanel Access Level
DataCenter Provider
This has got to be one of the most confusing threads I've read in a while. I hope we get some definitive answers from Cpanel.
Agreed, quite frankly I'm really disappointed in CPanel on this one, they fell behind, far behind here.

A few pages back, somebody quipped "why is it CPanel's responsibility to fix third party software" ... Well, it's their responsibility to fix anything their panel installs. This is commercial product, partner NOC's spend thousands/tens of thousands of dollars a month on this product, on the basis of making servers manageable by people who would not be otherwise capable (either by skill-set, by volume, or both).

As far as I'm concerned, CPanel should drop *everything* when there is an issue like this, it should take absolute priority over everything else.
 
Oct 12, 2009
22
2
53
I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...)

/https://gist.github.com/anonymous/721e2c973aa5c073c0ff
 

AlHawtin

Registered
Oct 23, 2014
2
0
1
cPanel Access Level
Reseller Owner
I too am disappointed with cPanel. I know enough about security to be dangerous and I also understand how difficult it is with the way that Apache and OpenSSL interact. But there is so much bad information in this thread and in cPanel postings. I too was trying out various configurations and managed to shut out a large number of clients while still scoring A on QualSys. Great to have a PCI site that many customers can't see. And no - it wasn't IE6 browsers only but Android as well.

So please cPanel. If you don't know what you are doing consult with some experts. Get it right, guide us properly and we can get this vulnerability put to rest!
 

eva2000

Well-Known Member
Aug 14, 2001
346
19
318
Brisbane, Australia
cPanel Access Level
Root Administrator
Twitter
I'm pleased to report that simply updating CPanel has removed SSLv3 ciphers from many of the services that previously offered them (465, 2083, 2087, etc). I had already disabled them in Apache when I saw that a CPanel update was forthcoming, but you can see from the linked nmap output that most services no longer support SSLv3. It looks like my Courier config is the only thing that will require a manual tweak.. (And yes, I also should disable the weak ciphers...)

/https://gist.github.com/anonymous/721e2c973aa5c073c0ff
yup can confirm the same - update cpanel folks !
 

Infopro

Well-Known Member
May 20, 2003
17,076
521
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
All,

I've been repeatedly asked to post something about this to my site, so I did:

de-POODLE-ing: How to Disable Support for SSLv3 on a cPanel Server - The cPanel Admin

In the post I have covered how to disable SSLv3 for all services on the system. A couple people from cPanel reviewed it for accuracy and added some things, but if I've missed anything feel free to let me know so I can add it.

I reverted all changes I made in recent days, made sure EasyApache was up to date, and updated cPanel.

Next, I came back to this post by Vanessa and went down her list to compare her suggested (on October 18) changes against where I'm at on my end. These suggested settings are in cPanel, right now.

Dear Vanessa, thank you for all of your contributions to this thread, and this forum. :)