Submitted by hescominsoon on Wed, 10/12/2016 - 08:36 Pro Licensee
I have tried following the various mitigation guides from redhat and centos directly but apparently Virtualmin loads things differently.
using this as a guide: https://access.redhat.com/solutions/1232413
The file /etc/httpd/conf.d/ssl.conf has a call to load a different module LoadModule ssl_module modules/mod_ssl.so. I have found the /etc/httpd/conf.modules.d/00-ssl.conf file and added SSLProtocol All -SSLv2 -SSLv3 and restarted apache and rebooted the machine. POODLE vulnerability still exists. Where do i go now to get this vulnerability resolved?
Status:
Postponed
Comments
Submitted by hescominsoon on Wed, 10/12/2016 - 08:39 Pro Licensee Comment #1
Found it: https://www.virtualmin.com/node/34811
Virtualmin needs to make this mitigation part of its default configuration ASAP.
Submitted by andreychek on Wed, 10/12/2016 - 09:25 Comment #2
Howdy,
We're glad you got it working!
But yeah that's just a matter of tweaking the SSLProtocol option in Apache, there isn't anything unusual that Apache is doing in a Virtualmin environment.
We're hesitant to change the default Apache settings that are provided by the vendor's (Such as CentOS).
However, making those changes in Webmin and Usermin may be a possibility, and we'll look into whether that can be setup by default.
Submitted by hescominsoon on Wed, 02/08/2017 - 19:38 Pro Licensee Comment #3
Submitted by JamieCameron on Wed, 02/08/2017 - 20:58 Comment #4
The current Virtualmin release (5.05) disables older SSL versions, and the next release will allow you to configure which versions are allowed or disallowed.
Submitted by korefuji on Fri, 02/24/2017 - 10:13 Comment #5
shouldn't sslv3 NOT be included, at all? I hope that's what you mean. For new web admins, they may not be aware of the severity of sslv3 vulnerabilties. And may enable as default, as that is the initial setting
Submitted by JamieCameron on Fri, 02/24/2017 - 17:48 Comment #6
The default configuration of Virtualmin already disables SSLv2, v3 and TLS 1.0 and 1.1
Submitted by korefuji on Fri, 02/24/2017 - 19:23 Comment #7
strange, because I installed it today and v3 was enabled there. I only signed up today.
Submitted by JamieCameron on Sat, 02/25/2017 - 15:56 Comment #8
Can you post the
SSLProtocolline from the ApacheVirtualhostin which v3 is still being accepted?