Why does virtualmin support SSLv3 when it's known for POODLE?

7 posts / 0 new
Last post
#1 Fri, 02/24/2017 - 09:54
korefuji

Why does virtualmin support SSLv3 when it's known for POODLE?

SSLv3 is severely and fundamentally broken - why is it enabled by default, or even included? I'm really surprised by this.

http://disablessl3.com/

In case you need a primer.

Sat, 02/25/2017 - 16:54
Diabolico
Diabolico's picture

Because WinXP still hold the third position between all OS (Linux, Apple or Windows) and it would be smart to not cut them off. Now why would anyone mention security and WinXP in the same sentence i dont know, but i'm sure there is more than one reason. So how you see, disabling SSLv3 completely would not be a smart choice.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sat, 02/25/2017 - 21:55
Joe
Joe's picture

We don't make that decision for you...it depends on your distro Apache package (we do provide a custom package for CentOS, but it is an identical rebuild with only one change to make suexec docroot point to /home). Some newer distros have it disabled by default. There have been a couple of tickets about disabling it, by default, and I lean toward doing that in the next major version. I haven't talked it over with Jamie, but I think it's a reasonable choice.

So, in short, our philosophy has always been to trust your choice of distro, and to trust the upstream distro provider to do the right thing, with regard to security and other stuff (they have a lot more staff than we do, so they're much more likely to be right). But, for something like this, it may be worth over-ruling the distro decision (if the distro makes a poor choice). But, I don't believe current Debian or Ubuntu versions have this problem, and it can be disabled in CentOS pretty easily.

--

Check out the forum guidelines!

Sat, 02/25/2017 - 21:58
Joe
Joe's picture

Here's the CentOS information about it:

https://wiki.centos.org/Security/POODLE

--

Check out the forum guidelines!

Sat, 02/25/2017 - 23:07
Diabolico
Diabolico's picture

@Joe: I would leave this to the disto and their choice if doesnt break Virtualmin functions or isnt required like in case with /home. You cant change OS packages how you like because its open invitation to cause more problems then solve existing one. Hand-holding is not possible with control panels and regardless which one you take it will always require some manual work to "tune" everything. In case someone doesnt know how to do - well 50$ for installation and initial settings isnt much to pay.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Sun, 02/26/2017 - 18:27 (Reply to #5)
Joe
Joe's picture

That's always been kinda how I've felt about it...I want to trust the distro and the user to choose the distro that fits their needs, and then we drop in on top of that and touch as little as possible in order to provide a full-featured virtual hosting environment. But, the more we interact with new users, the more I find their expectations don't mesh with that philosophy. Some folks even feel anger that we aren't more like cPanel (which replaces the whole damned stack with their custom stuff, making every distro into a "cPanel system" that has very little resemblance to the distro it started as). We started Virtualmin as a project because I had servers to manage and hated the way cPanel replaced everything (among many other things).

So, going forward, we're softening our position on the "leave the OS alone, we'll do our job, and let the distro vendor do theirs, and let the user decide what it all ought to look like when pushed into production" philosophy. In cases where the distro makes it trivial for a user to shoot themselves in the foot I think we're going to remove the footgun, by default. This is probably the perfect example of a footgun we ought to be removing.

So, sometime during the Virtualmin 6 lifecycle (i.e. in the next couple of weeks) I'll be making the install script kill SSLv3. I can't think of good reasons not to, even though XP is still alive in the wild, as you note, security trumps old ass systems. There's a couple of other things we'll be making more automatic, too...though the specifics aren't yet hammered down. All are security related. We'll do something with firewalls and something with fail2ban. (I'll consider it penance for releasing a version of Virtualmin that participates in the security theater that is chroot jail shells, which is also coming in Virtualmin 6).

--

Check out the forum guidelines!

Sun, 02/26/2017 - 19:43
Diabolico
Diabolico's picture

Enabled SSLv3 people arguing isnt safe, SSLv3 disabled angry mobs want to roll over you because their "precious" clients could not use it on WinXP. This crap is the same as the story "There was a man, his son, and their mule" and however you change always will be someone unhappy. Leave to distro defaults and change only what is important for Virtualmin to function properly trying to avoid as much as you can to take same route as cPanel.

And lets be honest, most people who will ever come here to argue why you didnt change distro default settings are the one with little to no no knowledge. Same one who expect for an automated script to do all the job, e.g. plug and play. This can be made to some extent but it has a lot of limitations. I mean, i have two absolutely same servers running on cPanel with almost same WP installation but my.cnf is different. So how many entangled solutions should install script have to deal with all the problems.

- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.

Topic locked