Ssl 3.0 bug

[SuperPik]

http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow
[q]
Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.

Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.

Details of the problem are under wraps, purportedly due to the severity of the vulnerability. El Reg cannot confirm whether or not it is indeed a serious bug as we have not received details of the vuln.

To that end, it is unknown what platforms were impacted, but as SSL is very widely used, any flaw will require plenty of urgent attention – and probably be unwelcome news to a tech community already reeling from the recent Shellshock vulnerability in Bash and the Heartbleed flaw.

The SSL flaw won't be the only thing keeping security bods and system administrators busy. A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012.
[/q]


quick work around, if you are using CENT-OS *no support!!!! THIS IS NOT AN OFFICIAL PATCH FROM DIRECTADMIN!!!!*
To disable SSL v3 in Directadmin
sed -i 's/+SSLv3/-SSLv3/g' /etc/httpd/conf/extra/httpd-ssl.conf
service httpd restart

 

[midas]

Just add it to the SSLv2 disable rule: sed -i 's/SSLProtocol All -SSLv2/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf/extra/httpd-ssl.conf && service httpd restart

 

[rikkiz0r]

I am using CustomBuild 2.0 with nginx_reverse and I patched it the following way:

Go to custombuild config template directory

cd /usr/local/directadmin/custombuild/configure/nginx_reverse/conf

Patch nginx-vhosts.conf

nano nginx-vhosts.conf

Remove SSLv3 from the line where it says ssl_protocols so it looks like this:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Go to the Apache2 config directory

cd /usr/local/directadmin/custombuild/configure/ap2/conf/extra

Edit httpd-ssl.conf

nano httpd-ssl.conf

Go to the line where it says: #Disable SSLv2
Add SSLv3 to the disabled protocols so it looks like this:

# Disable SSLv2
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5

Now rewrite configs:

/usr/local/directadmin/custombuild/build rewrite_confs

Restart httpd/nginx and check if you are still vulnerable using:

openssl s_client -connect <server>:<port> -ssl3

It should give the following message:

error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Disclaimer:
There are probably better ways to patch this, but in the meantime this seems to work like a charm.

 

[Arieh]

Also see https://wiki.mozilla.org/Security/Server_Side_TLS for a set of recommended settings, I recommend using the 'Intermediate' compatibility, or 'modern', if your target audience allows it.

They also provide the rules to put in Apache and Nginx.

With those custombuild config files, you should copy them to the custom map, e.g. if you have configure/nginx_reverse/conf

mkdir -p custom/nginx_reverse/conf

cp configure/nginx_reverse/conf/nginx-vhosts.conf custom/nginx_reverse/conf/

And edit the file in the custom map, that way the changes will be still there after the config files are updated.

 

[rikkiz0r]

Here's how to patch exim and dovecot:

nano /etc/exim.conf

Find the line where it says:

tls_require_ciphers

Make it look like this:

tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

Dovecot:

nano /etc/dovecot/dovecot.conf

Search for the line where it says:

ssl_cipher_list

Make it look like this:

ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

Restart exim and dovecot and your done.

service exim restart && service dovecot restart

 

[midas]

oneliner for centOS6
sed -i 's/SSLProtocol All -SSLv2/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf/extra/httpd-ssl.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/exim.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/dovecot/dovecot.conf && service httpd restart && service exim restart && service dovecot restart

 

[Jan_E]

On CentOS 6 you can also enable FIPS:
https://access.redhat.com/documenta...-Federal_Information_Processing_Standard.html

Apache config without support for IE8 on XP

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSite HIGH:!3DES:!AES128
SSLHonorCipherOrder On
SSLFIPS on

With support for IE8 on XP

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite AES256:AES128:3DES:HIGH
SSLHonorCipherOrder On
SSLFIPS on

Example: https://www.ssllabs.com/ssltest/analyze.html?d=phpdev.toolsforresearch.com

 

[kevinb]

I haven't been able to get the Directadmin service to disable SSLv3.

The ssl_cipher in directadmin.conf seems to ignore disabling it.

Anyone have a working line or is this going to require a new binary?

Thanks,

Kevin

 

[Jan_E]

./build rewrite_confs to generate a httpd-ssl.conf in /etc/httpd/conf/extra
Copy this httpd-ssl.conf to /usr/local/directadmin/custombuild/custom/ap2/conf/extra
Edit the custom httpd-ssl.conf and run ./build rewrite_confs again.

 

[Active8]

i see lot of "solutions" but wich one is the right one ? (i use Centos 6.5)

 

[zEitEr]

Some details on the POODLE Vulnerability in SSLv3

The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.
Full details have been published by Google in a paper which dubs the bug POODLE (PDF).

https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

[ditto]

Quote from http://www.webhostingtalk.com/showpost.php?p=9263881&postcount=50:

OpenSSL seems to have a patch for both OpenSSL 1.0.1 and 1.0.2. The 1.0.1 one at http://marc.info/?t=141333055000001&r=1&w=2 and seems to be committed to Git https://github.com/openssl/openssl/commits/OpenSSL_1_0_1-stable and looks like OpenSSL 1.0.1j is coming soon.

Also see RedHat: "Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd": https://access.redhat.com/solutions/1232413

I am considering waiting until there is a patch out from OpenSSL, but have not decided yet ...

 

[kevinb]

Quote from http://www.webhostingtalk.com/showpost.php?p=9263881&postcount=50:


Also see RedHat: "Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd": https://access.redhat.com/solutions/1232413

I am considering waiting until there is a patch out from OpenSSL, but have not decided yet ...

The patches don't fix the problem per se. They prevent a MITM attack from dropping forcing a TLS connection down to SSLv3. It is dependent on the browser supporting the feature.

 

[ditto]

@kevinb, ok thanks. I am still collecting information to learn about what actions are best to take on shared hosting servers.

Anyway, OpenSSL 1.0.1j is released now: https://www.openssl.org/news/secadv_20141015.txt - I guess it only will take a few days to be added to RedHat/CentOS.

 

[GXX]

I haven't been able to get the Directadmin service to disable SSLv3.

The ssl_cipher in directadmin.conf seems to ignore disabling it.

Anyone have a working line or is this going to require a new binary?

Thanks,

Kevin

I believe you can replace SSLv3 with "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP".

Then just restart DA.

 

[DirectAdmin Support]

Thanks for all of the contributions in this thread.
I've added an announcement, basically reiterating what you've already covered here:
http://forum.directadmin.com/showthread.php?t=50105&p=258220#post258220

I've also created a document with the list of files and ciphers for those files:
http://help.directadmin.com/item.php?id=571

as there may be a few files missed in this thread so far.

More info to come as it becomes available.

John

 

[ccto]

It seems the custombuild 1.1 or 1.2 ./configure/ap2 has not yet updated.

 

[gate2vn]

For proftpd, need to change in 2 sections:

1. Disable "TLSProtocol SSLv23", enable "TLSProtocol TLSv1"
2. "!SSLv2:+SSLv3" >> "!SSLv2:!SSLv3"

 

[gate2vn]

Somehow, in some servers, I got error:

Starting exim: 2014-10-16 12:40:53 Exim configuration error:
  tls_require_ciphers invalid: SSL_CTX_set_cipher_list(ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP) failed

I tried to update the latest exim.conf, exim.pl and still error. The same config works with other servers. Any idea?

 

[yak983]

Somehow, in some servers, I got error:

Starting exim: 2014-10-16 12:40:53 Exim configuration error:
  tls_require_ciphers invalid: SSL_CTX_set_cipher_list(ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP) failed

I tried to update the latest exim.conf, exim.pl and still error. The same config works with other servers. Any idea?

on debian 6 i have the same problem..

in centos 6 if i replace in exim and dovecot
sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/exim.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/dovecot/dovecot.conf && service exim restart && service dovecot restart


all client TLS stop work and incomming mail in exim (from googlle ecc) go to timeout