SSLv3 Vulnerability : http://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

[lorio]

OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013
Was there a backported patch applied?

[CentOS-announce] CESA-2014:1652 Important CentOS 6 openssl Security Update

rpm -q --changelog openssl

* Wed Oct 15 2014 Tomáš Mráz <[email protected]> 1.0.1e-30.2
- fix CVE-2014-3567 - memory leak when handling session tickets
- fix CVE-2014-3513 - memory leak in srtp support
- add support for fallback SCSV to partially mitigate CVE-2014-3566
(padding attack on SSL3)

 

[sneader]

Thanks, lorio, for the reminder on checking for the back porting. I'm seeing the same as you are, so I should be good to go!

- Scott

 

[frogstarr78]

Anyone mention it's probably either a matter of updating Firefox or disabling SSLv3 Support on the client in order to get it to work after disabling SSLv3 on the WHM/cPanel ports?

I've successfully disabled SSLv2 on ports 2087, 2083, and 2082, on several servers, and have no issue with firefox accessing them.

How to disable SSLv3 in Firefox: https://zmap.io/sslv3/browsers.html
or: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/?src=api

 

[launch]

Hi rohroh1974, have you managed to fix this? I have exactly the same problem

- - - Updated - - -

OK upon further investigation I think i may have found the issue. Centos 5 only appears to be using OpenSSL 0.9.8 as its usual repo-based installation. By removing SSLv3 it appears that OpenSSL has No ciphers that can be used.



if i remove the -SSLv3 option i get the following




Please correct me if i am wrong but it appears that 0.9.8 doesn't have any ciphers at all that don't contain SSLv3 in the ident....

Hi Rowan, have you managed to fix this? I have exactly the same problem.

 

[triantech]

Hey launch,

That's correct, OpenSSL 0.9.8 doesnt have any other ciphers than sslv2 and sslv3 which we just disabled now.
You might want to upgrade OpenSSL, if you are on a centos5 box, manually install it from the source.