It was recently discovered that SSL 3.0 is vulnerable to a man-in-the-middle attack, a method dubbed "Poodle". That's part of CVE-2014-3566, which is described here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
The problem is within the SSL protocol itself, and thus, it is recommended that SSL 3.0 be disabled.
The following describes how to do that:
In RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf.
In Ubuntu/Debian, edit /etc/apache2/mods-enabled/ssl.conf.
Look for a line beginning with SSLProtocol, it should look something like this:
SSLProtocol all -SSLv2
You need to modify it to look like this:
SSLProtocol all -SSLv2 -SSLv3
And then restart Apache:
RHEL/CentOS: /etc/init.d/httpd restart
Ubuntu/Debian: /etc/init.d/apache2 restart
Webmin will correct this issue automatically in the future. In the meantime, to disable SSLv3, edit this file:
/etc/webmin/miniserv.conf
And add the following line to the end:
ssl_version=10
Then restart Webmin:
/etc/init.d/webmin restart
Edit this file:
/etc/usermin/miniserv.conf
And add the following line to the end:
ssl_version=10
Then restart Usermin:
/etc/init.d/usermin restart
Would the same procedure apply to Usermin as well?
On all of my CentOS 6 & 7 boxes, "SSLProtocol ALL -SSLv2" is also declared in the /etc/httpd/conf/httpd.conf file as well, it must be changed in this location as well.
Thanks for the heads up about this! While I didn't notice that on our main Virtualmin server, I'll review some other CentOS systems to see if that's common.
-Eric
That line is in my http.conf as well. Do I need to add -SSLv3 ?
SSLProtocol ALL -SSLv2
Not declared in my httpd.conf running Virtualmin on CentOS Linux 5.11
Hello,
I was wondering what could be done for Postfix and Dovecot SSL connections. I found this:
https://linode.com/docs/security/security-patches/disabling-sslv3-for-po... https://www.digitalocean.com/community/tutorials/how-to-protect-your-ser...
Discribing more or less what has been said here for Apache and adding some info for Postfix and Dovecot.
For Postfix, they mention 2 options related to the way you are running it, either "opportunistic SSL" or "mandatory SSL", but because I mainly use Virtualmin to setup my servers, I have trouble understanding the relationship between these 2 modes and the virtualmin parameters. Could somebody give me some pointers about the parameters in virtualmin that make my Postfix SSL "opportunistic" or "mandatory" ?
Thanks. Pierre.
There is a conflict going on with webmin and usermin and use only PCI secure protocols.
If you are using PCI protocols webmin uses the following:
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Notice the +SSLv3 --- if you change that to the required !SSLv3 you can't connect to webmin or usermin.
Secure Connection Failed
An error occurred during a connection to server1.ehostsource.com:10000. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
How do you solve this issue ?
I found the solution to the PCI cyphers in usermin and webmin...
Set the follow in miniserv.conf
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCMThis makes the PCI scanning to pass
hmm thats not pasting right
disable the SSLv3 --> !SSLv3
then add next to the first TLS --> :+TLSv1.1:+TLSv1.2
If I add the suggested ssl_cipher_list in my miniserv.conf for webmin I get:
ssl_error_no_cypher_overlap
so back to ssl_version=10.
That cypher list isn't pasting right -- it's missing a couple cyphers
see https://www.borgnet.net/cypher.txt for the right lines to add to miniserv
It sounds like there isn't a good way to solve this problem by changing the ciphers in Webmin and Usermin (though I read your post after I posted this, and sounds like you may have gotten that very thing working!).
However, the "ssl_version=10 " setting mentioned above will effectively disable SSLv2 and SSLv3 in Webmin and Usermin. Will that do what you're after?
There's a Webmin bug report open that discusses that here:
http://sourceforge.net/p/webadmin/bugs/4487/
I dont have a SF account so I can't add what PCI will require now
Eric you got google talk ? add me if you do -- sgrayban
if anyone wants to contact me about the PCI issue add sgrayban@gmail.com to your google talk
This will remove poodle vulnerability risk for webmin and usermin.
ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+SSLv3:!SSLv2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Note: The cipher and the protocol are distinct.
TLS1 for example can use SSLv3 cipher. For this reason it must be included is ssl_cipher_list to work correctly.
As for the protocols this explicitly denies SSLv3 and SSLv2.
I found a site that really helped getting everything secured with apache. I know this has been beaten to death but these cyphers and settings are what you need to pass PCI and secure against all the current hacks with apache...
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:MEDIUM:+TLSv1:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
SSLCompression Off
SSLProtocol all -SSLv2 -SSLv3
You can see the results by testing my billing server at https://www.ssllabs.com/ssltest/analyze.html?d=borgnet.net&hideResults=on
The only issue is the current cert was issued using SHA1 but that will not make the PCI scan fail but give you a warning that SHA1 certs will not be allowed after 2014.
I can't get this to work on my CentOS 6 VirtualMin.
I have this on my /etc/webmin/miniserv.conf
try this
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
I have the CA cert. installed... if I install this Chain cert., it will replace the CA one. How do I install this chain Certificate ?
when I check here https://ssltools.geotrust.com/checker/views/certCheck.jsp It shows SAFE from Poodle & heartbleed but I'm getting one issue :
look in your SSL section -- look at the tabs -- the end one is what you are looking for
Thanks ... Resolved!
I wonder is the solution offered on http://unix.stackexchange.com/questions/162478/how-to-disable-sslv3-in-a... for CentOS/RHEL 6.x:
SSLHonorCipherOrder OnSSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
more complete as it disables all protocols and enables recommended +TLSv1 +TLSv1.1 +TLSv1.2 protocols only? Or it is the same with
SSLProtocol all -SSLv2 -SSLv3allsupported wrote that summary https://www.allsupported.com/virtualmin-ssl-v3-poodle-fixvirtualmin-ssl-...
It's based on this ticket
- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community
<
p>Since Version 1.720 (24th November 2014)
- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community