Coping with POODLE

6 posts / 0 new
Last post
#1 Thu, 10/16/2014 - 06:54
PaliGap

Coping with POODLE

I am using Virtualmon Pro 4.11, CentOS Linux 6.5 and Apache version2.2.15.

I am trying to adapt to the new "POODLE" SSL issue. So I am trying to disable SSL and use TLS. I notice that in httpd.conf I have these two lines:

SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

That suggests to me that globally, SSLv2 is disabled. Maybe I just need to do this?

SSLProtocol ALL -SSLv2 -SSLv3
and
SSLCipherSuite HIGH:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL

However I have virtual hosts with their own SSL certificates. If I go to 'services >> configure web site for SSL >> SSL options' I see all these protocols enabled:

SSL protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2

But why is SSLv2 enabled when it seems to be globally disabled?

Now if I deselect SSLv2 and SSLv3 I get a problem:

apachectl configtest :
Syntax error on line 4971 of /etc/httpd/conf/httpd.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'

This relates to this in the virtualhost section:

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2

So there seems to be a bit of a bug here.

Question: What is the best way to disable SSL in favour of TLS for the control panel, for web sites, for Dovecot & for Postfix?

Thu, 10/16/2014 - 09:27
andreychek

Howdy,

Yeah, it should be enough to just add this:

SSLProtocol ALL -SSLv2 -SSLv3

And then restart Apache.

You can use a command such as this to test if your server is communicating via SSLv3 or not:

openssl s_client -connect domain_with_ssl_cert.tld:443 -ssl3

It shouldn't work with that "-ss3" flag at the end. If you get rid of that, you should see it work, and send along the SSL certificates.

-Eric

Thu, 10/16/2014 - 10:13
PaliGap

Thanks. Yes, just that one change does it (provided there aren't additional declarations in virtualhost sections).

However that didn't seem to solve the issue with Webmin logins. I looked in Webmin SSL configuration and I saw the option "Allowed SSL ciphers". I had this:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

So I've added !SSLv3 and that seems OK too now.

For Postfix I believe there is no issue unless the server is forcing SSL. In the case of Dovecot, I don't think I have SSL enabled (though perhaps I should!).

Thu, 03/05/2015 - 10:13
stheoret

I am new to this, so i tried to modify the ssl.conf / httpd.conf to include the restrictions about ssl-v3 but when i edit and save the files, i can't restart apache. I open and edit the files with gedit , is it the issue?

Even if i undo my changes and save the files, the errors are still showing... then i need to recover my virtual server in order to start apache again... :(

Am i missing something ? I am not really good at linux....

Can we change those files safely without any issues with another kind of editor?

I am on centos 7 , virtualmin/webmin gpl. Any help will be appreciated.

Thu, 03/05/2015 - 11:03
andreychek

Howdy,

What errors do you see in the Apache error log when that occurs? The error log is in /var/log/httpd/error_log.

-Eric

Thu, 03/05/2015 - 11:21 (Reply to #5)
stheoret

Hi!

I found on google a way to do it 15 mins ago...

I edited the file with : sudo nano And did not have any troubles to restart... I think that the gedit ( editor ) was the problem by maybe including non visible typos to the file...

So i changed the ssl.conf , do i have other files to change in order to get rid of this sslv3 poddle??

I saw that the ssl settings were actually set in webmin to exlude the sslv3 and sslv2 ( checked )

Topic locked