According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice.<\/p>\n
A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker.<\/p>\n
SSL 3.0 is nearly 18 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue.<\/p>\n
Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. <\/p>\n
Detection (Linux)<\/p>\n
The following script can be run against the server in question. The command will return ‘SSL 3.0 enabled’ if vulnerable and ‘SSL 3.0 disabled’ if not.<\/p>\n
_______________<\/p>\n
#!\/bin\/bash
\nret=$(echo Q | timeout 5 openssl s_client -connect “${1-`hostname`}:${2-443}” -ssl3 2> \/dev\/null)
\nif echo “${ret}” | grep -q ‘Protocol.*SSLv3’; then
\n if echo “${ret}” | grep -q ‘Cipher.*0000’; then
\n echo “SSL 3.0 disabled”
\n else
\n echo “SSL 3.0 enabled”
\n fi
\nelse
\n echo “SSL disabled or other error”
\nfi
\n_______________<\/p>\n
NOTE: This script takes the hostname of the server to check as the first argument and an optional port as the second. By default it will check the local system, port 443.
\nResolution<\/p>\n
To avoid this vulnerability, Red Hat recommends disabling SSL and using only TLSv1.1 or TLSv1.2. Backwards compatibility can be achieved using TLSv1.0. Many products Red Hat supports have the ability to use SSLv2 or SSLv3 protocols, however it is strongly recommended against.<\/p>\n
To mitigate this vulnerability as it affects httpd, set the SSLProtocol directive as follows in \/etc\/httpd\/conf.d\/ssl.conf:<\/p>\n
Note: This directive must either be located at the topmost level of the configuration file, or inside the default virtual host configuration for an address.<\/p>\n
Option 1: Disable SSLv2 and SSLv3 (Enable everything except SSLv2 and SSLv3)
\nSSLProtocol All -SSLv2 -SSLv3<\/p>\n
Option 2: Disable everything except TLSv1.x<\/p>\n
On RHEL 7 or RHEL 6.6 and later:
\nSSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2<\/p>\n
On other platforms:
\nSSLProtocol -All +TLSv1<\/p>\n
Then restart httpd:<\/p>\n
# service httpd restart<\/p>\n
Resources: https:\/\/www.openssl.org\/~bodo\/ssl-poodle.pdf<\/a> http:\/\/googleonlinesecurity.blogspot.co.uk\/2014\/10\/this-poodle-bites-exploiting-ssl-30.html<\/a> For Nginx – there are other files to edit:<\/p>\n Rebuild after any changes<\/p>\n Other Resources:<\/p>\n CPanel\/WHM http:\/\/www.cpanelkb.net\/fix-poodle-sslv3-vulnerability\/<\/a> http:\/\/www.percona.com\/blog\/2014\/10\/15\/how-to-close-poodle-sslv3-security-flaw-cve-2014-3566\/<\/a> According to The Register, a serious vulnerability in SSL v3 will be disclosed tomorrow on October 15th. Some people are recommending disabling SSL v3 in various daemons until further notice. A vulnerability in the design of SSL version 3.0. This vulnerability allows the plaintext of secure connections to be calculated by a network attacker. SSL … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,102],"tags":[],"class_list":["post-780","post","type-post","status-publish","format-standard","hentry","category-administration","category-security"],"_links":{"self":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/780","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/comments?post=780"}],"version-history":[{"count":0,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/posts\/780\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/media?parent=780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/categories?post=780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.qbytes.cloud\/index.php\/wp-json\/wp\/v2\/tags?post=780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nFor Microsoft
\nhttps:\/\/technet.microsoft.com\/en-us\/library\/security\/3009008.aspx<\/a><\/p>\n
\nhttp:\/\/forums.cpanel.net\/f185\/sslv3-vulnerability-432641.html<\/a><\/p>\n
\nTests
\nTest your web server for SSLv2
\nhttps:\/\/www.ssllabs.com\/ssltest\/index.html<\/a>
\nWhat you are looking for is:
\nTLS 1.2 Yes
\nTLS 1.1 Yes
\nTLS 1.0 Yes
\nSSL 3 No
\nSSL 2 No<\/p>\n\n\n\/usr\/local\/psa\/admin\/conf\/templates\/default\/server\/nginxVhosts.php\n\/usr\/local\/psa\/admin\/conf\/templates\/default\/nginxDomainVirtualHost.php\n\/usr\/local\/psa\/admin\/conf\/templates\/default\/domain\/nginxDomainVirtualHost.php\n\n<\/pre>\n
\n# \/usr\/local\/psa\/admin\/bin\/httpdmng --reconfigure-all\n<\/pre>\n
\nhttps:\/\/documentation.cpanel.net\/display\/CKB\/How+to+Adjust+Cipher+Protocols<\/a><\/p>\n
\nhttp:\/\/thecpaneladmin.com\/disabling-support-for-sslv3-on-a-cpanel-server\/<\/a>
\nPlesk
\nhttp:\/\/kb.sp.parallels.com\/en\/123160<\/a><\/p>\n
\nhttp:\/\/bobcares.com\/blog\/protecting-your-cpanel-whm-server-from-sslv3-poodle-vulnerability-guide-to-mitigate-cve-2014-3566-by-disabling-ssl-3-0-in-exim-apache-nginx-pure-ftp-proftpd-dovecot-and-courier-imap<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"