Ssl 3.0 bug

SuperPik

New member
Joined
Oct 15, 2014
Messages
1
http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow
[q]
Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent.

Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is expected in in the late European evening, or not far from high noon Pacific Time.

Details of the problem are under wraps, purportedly due to the severity of the vulnerability. El Reg cannot confirm whether or not it is indeed a serious bug as we have not received details of the vuln.

To that end, it is unknown what platforms were impacted, but as SSL is very widely used, any flaw will require plenty of urgent attention – and probably be unwelcome news to a tech community already reeling from the recent Shellshock vulnerability in Bash and the Heartbleed flaw.

The SSL flaw won't be the only thing keeping security bods and system administrators busy. A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012.
[/q]


quick work around, if you are using CENT-OS *no support!!!! THIS IS NOT AN OFFICIAL PATCH FROM DIRECTADMIN!!!!*
To disable SSL v3 in Directadmin
sed -i 's/+SSLv3/-SSLv3/g' /etc/httpd/conf/extra/httpd-ssl.conf
service httpd restart
 

midas

Verified User
Joined
May 3, 2007
Messages
19
Just add it to the SSLv2 disable rule: sed -i 's/SSLProtocol All -SSLv2/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf/extra/httpd-ssl.conf && service httpd restart
 

rikkiz0r

New member
Joined
May 14, 2014
Messages
3
I am using CustomBuild 2.0 with nginx_reverse and I patched it the following way:

Go to custombuild config template directory
Code:
cd /usr/local/directadmin/custombuild/configure/nginx_reverse/conf
Patch nginx-vhosts.conf
Code:
nano nginx-vhosts.conf
Remove SSLv3 from the line where it says ssl_protocols so it looks like this:
Code:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Go to the Apache2 config directory
Code:
cd /usr/local/directadmin/custombuild/configure/ap2/conf/extra
Edit httpd-ssl.conf
Code:
nano httpd-ssl.conf
Go to the line where it says: #Disable SSLv2
Add SSLv3 to the disabled protocols so it looks like this:

Code:
# Disable SSLv2
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite HIGH:!aNULL:!MD5
Now rewrite configs:
Code:
/usr/local/directadmin/custombuild/build rewrite_confs
Restart httpd/nginx and check if you are still vulnerable using:
Code:
openssl s_client -connect <server>:<port> -ssl3
It should give the following message:
Code:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Disclaimer:
There are probably better ways to patch this, but in the meantime this seems to work like a charm.
 

Arieh

Verified User
Joined
May 27, 2008
Messages
1,206
Location
The Netherlands
Also see https://wiki.mozilla.org/Security/Server_Side_TLS for a set of recommended settings, I recommend using the 'Intermediate' compatibility, or 'modern', if your target audience allows it.

They also provide the rules to put in Apache and Nginx.

With those custombuild config files, you should copy them to the custom map, e.g. if you have configure/nginx_reverse/conf

mkdir -p custom/nginx_reverse/conf

cp configure/nginx_reverse/conf/nginx-vhosts.conf custom/nginx_reverse/conf/

And edit the file in the custom map, that way the changes will be still there after the config files are updated.
 

rikkiz0r

New member
Joined
May 14, 2014
Messages
3
Here's how to patch exim and dovecot:
Code:
nano /etc/exim.conf
Find the line where it says:
Code:
tls_require_ciphers
Make it look like this:
Code:
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
Dovecot:
Code:
nano /etc/dovecot/dovecot.conf
Search for the line where it says:
Code:
ssl_cipher_list
Make it look like this:
Code:
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP
Restart exim and dovecot and your done.
Code:
service exim restart && service dovecot restart
 

midas

Verified User
Joined
May 3, 2007
Messages
19
oneliner for centOS6
sed -i 's/SSLProtocol All -SSLv2/SSLProtocol All -SSLv2 -SSLv3/' /etc/httpd/conf/extra/httpd-ssl.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/exim.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/dovecot/dovecot.conf && service httpd restart && service exim restart && service dovecot restart
 

Jan_E

Verified User
Joined
Apr 29, 2011
Messages
107
Location
Amsterdam, NL
On CentOS 6 you can also enable FIPS:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Federal_Standards_And_Regulations-Federal_Information_Processing_Standard.html

Apache config without support for IE8 on XP

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSite HIGH:!3DES:!AES128
SSLHonorCipherOrder On
SSLFIPS on

With support for IE8 on XP

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite AES256:AES128:3DES:HIGH
SSLHonorCipherOrder On
SSLFIPS on

Example: https://www.ssllabs.com/ssltest/analyze.html?d=phpdev.toolsforresearch.com
 

kevinb

Verified User
Joined
Jul 27, 2006
Messages
96
I haven't been able to get the Directadmin service to disable SSLv3.

The ssl_cipher in directadmin.conf seems to ignore disabling it.

Anyone have a working line or is this going to require a new binary?

Thanks,

Kevin
 

Jan_E

Verified User
Joined
Apr 29, 2011
Messages
107
Location
Amsterdam, NL
./build rewrite_confs to generate a httpd-ssl.conf in /etc/httpd/conf/extra
Copy this httpd-ssl.conf to /usr/local/directadmin/custombuild/custom/ap2/conf/extra
Edit the custom httpd-ssl.conf and run ./build rewrite_confs again.
 

Active8

Verified User
Joined
Jul 13, 2013
Messages
256
i see lot of "solutions" but wich one is the right one ? (i use Centos 6.5)
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
14,102
Location
GMT +7.00
Some details on the POODLE Vulnerability in SSLv3

The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.
Full details have been published by Google in a paper which dubs the bug POODLE (PDF).
https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,535
Quote from http://www.webhostingtalk.com/showpost.php?p=9263881&postcount=50:
OpenSSL seems to have a patch for both OpenSSL 1.0.1 and 1.0.2. The 1.0.1 one at http://marc.info/?t=141333055000001&r=1&w=2 and seems to be committed to Git https://github.com/openssl/openssl/commits/OpenSSL_1_0_1-stable and looks like OpenSSL 1.0.1j is coming soon.
Also see RedHat: "Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd": https://access.redhat.com/solutions/1232413

I am considering waiting until there is a patch out from OpenSSL, but have not decided yet ...
 

kevinb

Verified User
Joined
Jul 27, 2006
Messages
96
Quote from http://www.webhostingtalk.com/showpost.php?p=9263881&postcount=50:


Also see RedHat: "Resolution for POODLE SSLv3.0 vulnerability (CVE-2014-3566) in httpd": https://access.redhat.com/solutions/1232413

I am considering waiting until there is a patch out from OpenSSL, but have not decided yet ...
The patches don't fix the problem per se. They prevent a MITM attack from dropping forcing a TLS connection down to SSLv3. It is dependent on the browser supporting the feature.
 

GXX

Verified User
Joined
Mar 25, 2006
Messages
361
I haven't been able to get the Directadmin service to disable SSLv3.

The ssl_cipher in directadmin.conf seems to ignore disabling it.

Anyone have a working line or is this going to require a new binary?

Thanks,

Kevin
I believe you can replace SSLv3 with "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP".

Then just restart DA.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,987

gate2vn

Verified User
Joined
Nov 9, 2004
Messages
298
For proftpd, need to change in 2 sections:

1. Disable "TLSProtocol SSLv23", enable "TLSProtocol TLSv1"
2. "!SSLv2:+SSLv3" >> "!SSLv2:!SSLv3"
 

gate2vn

Verified User
Joined
Nov 9, 2004
Messages
298
Somehow, in some servers, I got error:

Code:
Starting exim: 2014-10-16 12:40:53 Exim configuration error:
  tls_require_ciphers invalid: SSL_CTX_set_cipher_list(ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP) failed
I tried to update the latest exim.conf, exim.pl and still error. The same config works with other servers. Any idea?
 

yak983

Verified User
Joined
Oct 6, 2009
Messages
36
Somehow, in some servers, I got error:

Code:
Starting exim: 2014-10-16 12:40:53 Exim configuration error:
  tls_require_ciphers invalid: SSL_CTX_set_cipher_list(ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP) failed
I tried to update the latest exim.conf, exim.pl and still error. The same config works with other servers. Any idea?


on debian 6 i have the same problem..

in centos 6 if i replace in exim and dovecot
sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/exim.conf && sed -i 's/:-SSLv2:/:-SSLv2:-SSLv3:/' /etc/dovecot/dovecot.conf && service exim restart && service dovecot restart


all client TLS stop work and incomming mail in exim (from googlle ecc) go to timeout
 
Top