Mitigating Poodle / SSL 3.0 Issue

27 posts / 0 new
Last post
#1 Thu, 10/16/2014 - 14:50
andreychek

Mitigating Poodle / SSL 3.0 Issue

It was recently discovered that SSL 3.0 is vulnerable to a man-in-the-middle attack, a method dubbed "Poodle". That's part of CVE-2014-3566, which is described here:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

The problem is within the SSL protocol itself, and thus, it is recommended that SSL 3.0 be disabled.

The following describes how to do that:

Apache

In RHEL/CentOS, edit /etc/httpd/conf.d/ssl.conf.

In Ubuntu/Debian, edit /etc/apache2/mods-enabled/ssl.conf.

Look for a line beginning with SSLProtocol, it should look something like this:

SSLProtocol all -SSLv2

You need to modify it to look like this:

SSLProtocol all -SSLv2 -SSLv3

And then restart Apache:

RHEL/CentOS: /etc/init.d/httpd restart

Ubuntu/Debian: /etc/init.d/apache2 restart

Webmin/Virtualmin

Webmin will correct this issue automatically in the future. In the meantime, to disable SSLv3, edit this file:

/etc/webmin/miniserv.conf

And add the following line to the end:

ssl_version=10

Then restart Webmin:

/etc/init.d/webmin restart

Usermin

Edit this file:

/etc/usermin/miniserv.conf

And add the following line to the end:

ssl_version=10

Then restart Usermin:

/etc/init.d/usermin restart

Thu, 10/16/2014 - 17:19
lp86

Would the same procedure apply to Usermin as well?

Thu, 10/16/2014 - 23:33
lp86

On all of my CentOS 6 & 7 boxes, "SSLProtocol ALL -SSLv2" is also declared in the /etc/httpd/conf/httpd.conf file as well, it must be changed in this location as well.

Fri, 10/17/2014 - 10:26 (Reply to #3)
andreychek

Thanks for the heads up about this! While I didn't notice that on our main Virtualmin server, I'll review some other CentOS systems to see if that's common.

-Eric

Thu, 10/30/2014 - 02:56 (Reply to #4)
jmunjr

That line is in my http.conf as well. Do I need to add -SSLv3 ?

SSLProtocol ALL -SSLv2

Sat, 10/18/2014 - 20:00 (Reply to #5)
vectorsites

Not declared in my httpd.conf running Virtualmin on CentOS Linux 5.11

Tue, 10/21/2014 - 03:56
Pierrot

Hello,

I was wondering what could be done for Postfix and Dovecot SSL connections. I found this:

https://linode.com/docs/security/security-patches/disabling-sslv3-for-po... https://www.digitalocean.com/community/tutorials/how-to-protect-your-ser...

Discribing more or less what has been said here for Apache and adding some info for Postfix and Dovecot.

For Postfix, they mention 2 options related to the way you are running it, either "opportunistic SSL" or "mandatory SSL", but because I mainly use Virtualmin to setup my servers, I have trouble understanding the relationship between these 2 modes and the virtualmin parameters. Could somebody give me some pointers about the parameters in virtualmin that make my Postfix SSL "opportunistic" or "mandatory" ?

Thanks. Pierre.

Tue, 10/21/2014 - 15:44
sgrayban

There is a conflict going on with webmin and usermin and use only PCI secure protocols.

If you are using PCI protocols webmin uses the following:

ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:+SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Notice the +SSLv3 --- if you change that to the required !SSLv3 you can't connect to webmin or usermin.

Secure Connection Failed

An error occurred during a connection to server1.ehostsource.com:10000. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

How do you solve this issue ?

Tue, 10/21/2014 - 16:09
sgrayban

I found the solution to the PCI cyphers in usermin and webmin...

Set the follow in miniserv.conf

ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

This makes the PCI scanning to pass

Tue, 10/21/2014 - 16:12 (Reply to #9)
sgrayban

hmm thats not pasting right

disable the SSLv3 --> !SSLv3

then add next to the first TLS --> :+TLSv1.1:+TLSv1.2

Tue, 10/21/2014 - 16:27 (Reply to #10)
Pierrot

If I add the suggested ssl_cipher_list in my miniserv.conf for webmin I get:

ssl_error_no_cypher_overlap

so back to ssl_version=10.

Tue, 10/21/2014 - 16:35 (Reply to #11)
sgrayban

That cypher list isn't pasting right -- it's missing a couple cyphers

Tue, 10/21/2014 - 16:39 (Reply to #12)
sgrayban

see https://www.borgnet.net/cypher.txt for the right lines to add to miniserv

Tue, 10/21/2014 - 16:12
andreychek

It sounds like there isn't a good way to solve this problem by changing the ciphers in Webmin and Usermin (though I read your post after I posted this, and sounds like you may have gotten that very thing working!).

However, the "ssl_version=10 " setting mentioned above will effectively disable SSLv2 and SSLv3 in Webmin and Usermin. Will that do what you're after?

There's a Webmin bug report open that discusses that here:

http://sourceforge.net/p/webadmin/bugs/4487/

Tue, 10/21/2014 - 16:40 (Reply to #14)
sgrayban

I dont have a SF account so I can't add what PCI will require now

Tue, 10/21/2014 - 16:18
sgrayban

Eric you got google talk ? add me if you do -- sgrayban

Tue, 10/21/2014 - 16:44 (Reply to #16)
sgrayban

if anyone wants to contact me about the PCI issue add sgrayban@gmail.com to your google talk

Wed, 11/12/2014 - 00:46
martlam

This will remove poodle vulnerability risk for webmin and usermin.

ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+SSLv3:!SSLv2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Note: The cipher and the protocol are distinct.

TLS1 for example can use SSLv3 cipher. For this reason it must be included is ssl_cipher_list to work correctly.

As for the protocols this explicitly denies SSLv3 and SSLv2.

Sat, 11/22/2014 - 07:18
sgrayban

I found a site that really helped getting everything secured with apache. I know this has been beaten to death but these cyphers and settings are what you need to pass PCI and secure against all the current hacks with apache...

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:MEDIUM:+TLSv1:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

SSLHonorCipherOrder on
SSLCompression Off
SSLProtocol all -SSLv2 -SSLv3

You can see the results by testing my billing server at https://www.ssllabs.com/ssltest/analyze.html?d=borgnet.net&hideResults=on

The only issue is the current cert was issued using SHA1 but that will not make the PCI scan fail but give you a warning that SHA1 certs will not be allowed after 2014.

Wed, 12/31/2014 - 08:43
mehargags

I can't get this to work on my CentOS 6 VirtualMin.

I have this on my /etc/webmin/miniserv.conf

anonymous=/virtualmin-mailman/unauthenticated=anonymous
ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:!MD5:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
logouttimes=
root=/usr/libexec/webmin
mimetypes=/usr/libexec/webmin/mime.types
server=MiniServ/1.690
 
ssl_version=10
Wed, 12/31/2014 - 19:29
sgrayban

try this


ssl_cipher_list=ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM

Thu, 01/01/2015 - 01:29
mehargags

I have the CA cert. installed... if I install this Chain cert., it will replace the CA one. How do I install this chain Certificate ?

when I check here https://ssltools.geotrust.com/checker/views/certCheck.jsp It shows SAFE from Poodle & heartbleed but I'm getting one issue :

Recommendations
Update your certificate chain.
Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate. | Download certificate
Thu, 01/01/2015 - 03:21
sgrayban

look in your SSL section -- look at the tabs -- the end one is what you are looking for

Fri, 01/02/2015 - 01:17
mehargags

Thanks ... Resolved!

Fri, 04/03/2015 - 01:47
yngens

I wonder is the solution offered on http://unix.stackexchange.com/questions/162478/how-to-disable-sslv3-in-a... for CentOS/RHEL 6.x:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

more complete as it disables all protocols and enables recommended +TLSv1 +TLSv1.1 +TLSv1.2 protocols only? Or it is the same with SSLProtocol all -SSLv2 -SSLv3

Sun, 11/27/2016 - 11:57
Francewhoa
Francewhoa's picture

allsupported wrote that summary https://www.allsupported.com/virtualmin-ssl-v3-poodle-fixvirtualmin-ssl-...

It's based on this ticket

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Sun, 11/27/2016 - 12:02
Francewhoa
Francewhoa's picture

<

p>Since Version 1.720 (24th November 2014)

SSL v2 and v3 are now disabled by default at Webmin install time, to block the POODLE attack. They can be re-enabled on the SSL Encryption page of the Webmin Configuration module.

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Topic locked