Disable Support for SSLv3 on a cPanel Server

The latest security buzz this month is about the SSLv3 POODLE vulnerability, and how SSL version 3.0 is now officially designated as insecure, joining its predecessors versions 1.0 (unreleased) and 2.0.  This effectively concludes the life cycle of the SSL protocol in favor of TLS.  This post will give you a brief overview of what POODLE is, and how to protect against it on a cPanel system.

Unlike Heartbleed though, the problem is actually [mostly] on the client side.  When a browser, or really any client that connects to an encrypted service, connects to a website over https, it’ll use the newest protocol that it can (at present, that is TLS 1.2, soon to be replaced with 1.3).  If it’s unable to connect, the present behavior for most is to re-negotiate using older protocols.  This in itself is not the actual vulnerability, only the behavior that causes the exploit to be successful.  The actual problem behind the POODLE vulnerability is that information accessed via an SSLv3-encrypted connection is not actually secure, as we found out.  An attacker can use the browser’s “fallback” capabilities to essentially persuade the browser to use SSLv3, then execute a man-in-the-middle attack to read transmitted data in plain text.  We won’t go over the details here, but you can read a full explanation of the vulnerability in Google’spublished security advisory.

While the burden of this exploit is on the client end, server administrators should take action to disable SSLv3 on their servers.  While any modern browser supports TLS 1.0/1.1/1.2, it’s a known fact that some people just don’t update their software.  Companies such as Google and Mozilla are working to disable fallback support in Chrome and Firefox, respectively, but if someone hasn’t updated their browser since 2008, they probably can’t be expected to do it now.  There’s are also web servers that are not configured to allow TLS, thus forcing the browser to negotiate with an older protocol.  So there are indeed two sides to this problem, and the disabling of older protocols on either the client or server end can cause compatibility problems.  The end result is, everyone has some updating to do.

Note: OpenSSL did release a patch to help prevent client-side protocol fallbacks, but this does not fully address the problem.

Services not affected:

Disabling SSLv3 for Apache

 

Disabling via SSLProtocol

Update 10/22: As of cPanel 11.44.1.19, you can now change the cipher list via WHM -> Apache Configuration -> Global Configuration -> SSL/TLS Cipher Suite:

All -SSLv2 -SSLv3

To do this via CLI, edit /var/cpanel/conf/apache/local and edit this line (it may not exist by default, so you can just add it under sslciphersuite:

 "sslprotocol":
   "item":
     "sslprotocol": 'All -SSLv2 -SSLv3'

Then run:

/scripts/rebuildhttpdconf

service httpd restart

If the change does not take effect, see if /var/cpanel/templates/apache/main.local exists. If it does, you need to make sure this line exists in the SSL part of the config:

[% IF main.sslprotocol.item.sslprotocol.length %]SSLProtocol [% main.sslprotocol.item.sslprotocol %][% END %]

 

Disabling SSLv3 for cPanel, WHM, and Webmail

This is specifically referring to cPanel services, accessed via ports 2083, 2096, and 2087.  Go to WHM -> Service Configuration -> cPanel Web Services Configuration, and change TLS/SSL Protocols to:

SSLv23:!SSLv2:!SSLv3

To do this via CLI, edit /var/cpanel/conf/cpsrvd/ssl_socket_args and change the value of SSL_version to the same as above.  Save the file and run:

/usr/local/cpanel/whostmgr/bin/whostmgr2 docpsrvdconfiguration

 

Disabling SSLv3 for WebDisk

Go to WHM -> cPanel Web Disk Configuration and change the value of TLS/SSL Protocols to:

SSLv23:!SSLv2:!SSLv3

To do this via CLI, edit the file /var/cpanel/conf/cpdavd/ssl_socket_args and change the value of SSL_version to the same as above.  Then run:

/usr/local/cpanel/whostmgr/bin/whostmgr2 docpdavdconfiguration

 

Disabling SSLv3 for Dovecot

If you are using Dovecot for POP/IMAP, go to WHM -> Mailserver Configuration and edit the value for SSL Protocols exclude SSLv3:

!SSLv2 !SSLv3

To do this via CLI, edit /var/cpanel/conf/dovecot/main and change the value of ssl_protocols. Save the file and run:

/usr/local/cpanel/whostmgr/bin/whostmgr2 savedovecotsetup

 

DISABLING SSLV3 FOR Courier

Go to WHM -> Mailserver Configuration and change the value of TLS/SSL Protocol for both POP and IMAP to “Only permit TLSv1.0 connections”.

To do this via CLI, edit the following valuesfor both IMAP and POP3 SSL in /var/cpanel/courierconfig.yaml:

 "TLS_PROTOCOL": 'TLSv1'
 "TLS_STARTTLS_PROTOCOL": 'TLSv1'

Then run:

/usr/local/cpanel/bin/build_courier_conf

 

DISABLING SSLV3 FOR Exim

At present there is no way to disable SSLv3 via WHM.  You can go to WHM -> Exim Configuration Manager and disable the option for “Allow weak SSL/TLS ciphers”, but at ths time of this writing, this does not include disabling SSLv3.  To do this via CLI, create/edit a file called /etc/exim.conf.local, and add the following:

@CONFIG@
tls_require_ciphers = ALL:-SSLv3:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

If the file already exists, just add this to the existing @CONFIG@ section.  Then run:

/scripts/buildeximconf

service exim restart

Note:  There are numerous reports of this causing issues for mail servers trying to send email to your server.  Proceed with caution here.

 

DISABLING SSLV3 FOR Pure-FTPd/ProFTPd

Go to WHM -> FTP Server Configuration and add !SSLv3 to the TLS Cipher Suite value, ie:

HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

To do this via CLI, edit /var/cpanel/conf/pureftpd/main (/var/cpanel/conf/proftpd if you run ProFTP) and change the value of TLSCipherSuite.  Then run:

/usr/local/cpanel/bin/build_ftp_conf

service pure-ftpd restart

 

Testing for SSLv3 Support

To make sure services on your server are not accepting SSLv3 connections, you can run the openssl client on your server against the SSL ports.  This command is run as follows:

openssl s_client -connect localhost:port -ssl3

If it fails (which is what you want), you should see something like this at the top of the output:

140575449110344:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:

For the port value, you’d use the following to test:

  • 443: https (Apache)
  • 995: POP3 SSL
  • 993: IMAP SSL
  • 465: SMTPS (Exim)
  • 2083: cPanel SSL
  • 2078: WebDisk SSL
  • 2087: WHM SSL
  • 2096: Webmail SSL
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s