Protecting your cPanel/WHM server from SSLv3 POODLE vulnerability – Guide to mitigate CVE-2014-3566 by disabling SSL 3.0 in Exim, Apache, Nginx, Pure-FTP, ProFTPd, Dovecot and Courier-IMAP
UPDATE 17th Oct – Some browsers like Firefox and IE 6 are reporting issues when SSLv3 is disabled. Fortunately, SSLv3 fix is available from OpenSSL, and major distros would soon be putting it to their repos. SSLv3 disabling can soon be done in a phased manner. Check comments for more info.
On Oct 14th Google published details of an SSL 3.0 vulnerability, which allows an attacker to secure session through a man-in-the-middle attack. Support for SSL 3.0 is available in all popular mail, ftp and web clients, which makes all your clients vulnerable to an exploit based on this bug. Since SSL 3.0 is an 18 year old obsolete technology, we recommend it to be disabled in all cPanel servers.
Pro-active Server Management service at Bobcares was notified of this vulnerability on 14th, and all servers that we maintain were secured against this vulnerability by disabling CBC ciphers.
Hire Bobcares cPanel Server Administrators
Get super reliable servers and delighted customers
Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.
for port in 21 443 465 993 995 2083 2087 2078 2096; do echo "Scanning $port"; for cipher in $(openssl ciphers -sslv3 'ALL:eNULL' | sed -e 's/:/ /g'); do echo -n | openssl s_client -sslv3 -cipher "$cipher" -connect xxx.xxx.xxx.xxx:$port 2>&1 | grep -i "Cipher is"; done; done
Replace xxx.xxx.xxx.xxx with your server IP.
Not comfortable doing the scan yourself? We can help!
In cPanel/WHM, 7 services need to be secured; viz, HTTP, POP3, IMAP, FTP, SMTP, Control Panel, Web Disk. Here is how we disabled SSL 3.0 in our servers:
HTTP – Apache / Nginx
To fix Apache,
In WHM, go to Home >> Service Configuration >> Apache Configuration >> Global Configuration, and set the SSL Cipher Suite to the one below:
Then go to Home >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include
SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256 SSLHonorCipherOrder on
To fix Nginx,
Go to Nginx configuration, and change the line
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
SMTP – Exim
In WHM, go to Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to
POP/IMAP – Courier-IMAP / Dovecot
In WHM, go to Home >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to
FTP – Pure-FTP / Pro-FTP
In WHM, go to Home >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to
cPanel Web Services
In WHM, go to Home >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to
cPanel Web Disk
In WHM, go to Home >> Service Configuration >> cPanel Web Disk Configuration, and change TLS/SSL Cipher List to
Not sure if your servers are patched? We can take a quick look, and fix your servers NOW.
Sign up for Proactive Server Management today, and get your servers automatically secured against zero-day exploits.