Virtualmin setup leaves webservers vulnerable to POODLE.

I have tried following the various mitigation guides from redhat and centos directly but apparently Virtualmin loads things differently.

using this as a guide: https://access.redhat.com/solutions/1232413

The file /etc/httpd/conf.d/ssl.conf has a call to load a different module LoadModule ssl_module modules/mod_ssl.so. I have found the /etc/httpd/conf.modules.d/00-ssl.conf file and added SSLProtocol All -SSLv2 -SSLv3 and restarted apache and rebooted the machine. POODLE vulnerability still exists. Where do i go now to get this vulnerability resolved?

Status: 
Postponed

Comments

Howdy,

We're glad you got it working!

But yeah that's just a matter of tweaking the SSLProtocol option in Apache, there isn't anything unusual that Apache is doing in a Virtualmin environment.

We're hesitant to change the default Apache settings that are provided by the vendor's (Such as CentOS).

However, making those changes in Webmin and Usermin may be a possibility, and we'll look into whether that can be setup by default.

Status: Active ยป Postponed

The current Virtualmin release (5.05) disables older SSL versions, and the next release will allow you to configure which versions are allowed or disallowed.

shouldn't sslv3 NOT be included, at all? I hope that's what you mean. For new web admins, they may not be aware of the severity of sslv3 vulnerabilties. And may enable as default, as that is the initial setting

The default configuration of Virtualmin already disables SSLv2, v3 and TLS 1.0 and 1.1

strange, because I installed it today and v3 was enabled there. I only signed up today.

Can you post the SSLProtocol line from the Apache Virtualhost in which v3 is still being accepted?