Bobcares

Protecting your cPanel/WHM server from SSLv3 POODLE vulnerability

by | Oct 16, 2014

UPDATE 17th Oct – Some browsers like Firefox and IE 6 are reporting issues when SSLv3 is disabled. Fortunately, SSLv3 fix is available from OpenSSL, and major distros would soon be putting it to their repos. SSLv3 disabling can soon be done in a phased manner. Check comments for more info.

On Oct 14th Google published details of an SSL 3.0 vulnerability, which allows an attacker to break into a secure session through a man-in-the-middle attack.

Support for SSL 3.0 is available in all popular mail, ftp and web clients, which makes all your clients vulnerable to an exploit based on this bug. Since SSL 3.0 is an 18 year old obsolete technology, we recommend it to be disabled in all cPanel servers.

Pro-active Server Management service at Bobcares was notified of this vulnerability on 14th, and all servers that we maintain were secured against this vulnerability by disabling CBC ciphers.

Read : Top 7 SSL/TLS deployment best practices

 

Hire Bobcares cPanel Server Administrators
Get super reliable servers and delighted customers

See how we do it!

 

 

Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.

for port in 21 443 465 993 995 2083 2087 2078 2096; do echo "Scanning $port"; for cipher in $(openssl ciphers -sslv3 'ALL:eNULL' | sed -e 's/:/ /g'); do echo -n | openssl s_client -sslv3 -cipher "$cipher" -connect xxx.xxx.xxx.xxx:$port 2>&1 | grep -i "Cipher is"; done; done

Replace xxx.xxx.xxx.xxx with your server IP.

Not comfortable doing the scan yourself? We can help!

 

Scan & Secure My Server

 

In cPanel/WHM, 7 services need to be secured; viz, HTTP, POP3, IMAP, FTP, SMTP, Control Panel, Web Disk. Here is how we disabled SSL 3.0 in our servers:

Read: How to disable Apache SSLv3 protocol for your web server security

HTTP – Apache / Nginx

To fix Apache,

In WHM, go to Home >> Service Configuration >> Apache Configuration >> Global Configuration, and set the SSL Cipher Suite to the one below:

ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

Then go to Home >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256
SSLHonorCipherOrder on

Restart Apache.

Read: Disable RC4 ciphers in cPanel/WHM servers – Why and How to do it?

To fix Nginx,

Go to Nginx configuration, and change the line

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart Nginx.

SMTP – Exim

In WHM, go to Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

Restart Exim.

POP/IMAP – Courier-IMAP / Dovecot

In WHM, go to Home >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

FTP – Pure-FTP / Pro-FTP

In WHM, go to Home >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to

HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3

cPanel Web Services

In WHM, go to Home >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

 

cPanel Web Disk

In WHM, go to Home >> Service Configuration >> cPanel Web Disk Configuration, and change TLS/SSL Cipher List to

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH

Not sure if your servers are patched? We can take a quick look, and fix your servers NOW. 

Fix My Server Now!

Sign up for Proactive Server Management today, and get your servers automatically secured against zero-day exploits.

Keep My Server Secured!

 

7 Comments

  1. Amal

    cPanel, WHM & Webmail will have problems on Firefox browser, if we disable SSLv3 because for some weird reason, firefox allows TLS only on port 443.

    • Visakh S

      Firefox do not default to using TLS until v34, which will be out only in November.

      At least for the time being, it would be necessary to send a news letter to clients advising them to use Chrome until a later update is available.

      This will only affect the webmaster, and those who are members of staff. The biggest impact will be on those who use Webmail, and those would be members of staff in the webmaster’s organization. POODLE got good media coverage, and this should be easier for webmasters to pass on to their organization as long as we move fast enough.

  2. Amal

    Another issue is with IE 6 of Windows XP. https websites for which SSL v3 is disabled will stop loading on such machines.

    • Visakh S

      You may not be required to disable SSLv3 after-all. A patch is released by OpenSSL:
      https://www.openssl.org/news/secadv_20141015.txt

      The updated packages are yet to reach major repos. Just now checked CentOS, and its still showing older versions. I’m sure it will be available from today, and then its only a matter of doing:

      In CentOS / Redhat / Cloud Linux / Fedora servers

      # yum -y update openssl

      In Ubuntu / Debian servers

      # apt-get update && apt-get install openssl

      In OpenSuse servers

      # zypper patch --cve=CVE-2014-3566

      OpenSSL 1.0.1 should be upgraded to 1.0.1j
      OpenSSL 1.0.0 should be upgraded to 1.0.0o
      OpenSSL 0.9.8 should be upgraded to 0.9.8zc

  3. unnikrishnan

    For FTP – Pure-FTP Pro-FTP ,Cpanel services and cPanel Web Disk, are the codes are correct ? Is something missing there ?

    • Visakh S

      Those ciphers were tested in a cPanel dev server before putting it on site. Is there something you find wrong with it?

      It doesnt specifically mention SSLv3 suite, but rather, it is a collection of strong ciphers.

Never again lose customers to poor
server speed! Let us help you.