Time to drop SSLv3 drom DA

interfasys · Oct 16, 2014

http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html

SSLv3 has to be disabled today from the web server and that's easy enough to do.

Next steps are to get rid of it completely asap.

It's easy to get rid of SSLv3 on FreeBSD, compiling OpenSSL ourselves, not sure if Linux distros will start offering SSLv3 less version of OpenSSL.

Then all the apps, including DA have to patched and configured.
DA still has that bug where it doesn't follow the cipher order which should be patched at the same time.

smtalk · Oct 16, 2014

Please check #5 in http://help.directadmin.com/item.php?id=571, SSLv3 protocol should be already disabled in latest pre-release of DA

interfasys · Oct 16, 2014

Nice summary page

Hopefully the cipher order bug is also fixed.

A nice tool which can be used to check your setup
https://github.com/jvehent/cipherscan

LawsHosting · Oct 16, 2014

Why is this happening?

Error Loading ssl_cipher: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

If I remove -SSLv3, it doesn't complain.

interfasys · Oct 17, 2014

Peter Laws said:
Why is this happening?

If I remove -SSLv3, it doesn't complain.

Did you add this beforehand?

Code:

SSLProtocol All -SSLv2 -SSLv3

LawsHosting · Oct 17, 2014

I meant for DA itself