SSLv3 Poodle

Discussion in 'Security' started by hostingdoc, Oct 18, 2014.

  1. hostingdoc

    hostingdoc New Member

  2. SRQWebHost

    SRQWebHost New Member

    Same question here. I'll handle this myself with some direction posted here. Otherwise I suppose I'll open a ticket.
     
  3. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Here is the official RedHat CVE for POODLE: https://access.redhat.com/security/cve/CVE-2014-3566

    POODLE is pretty much a way to slowly decript a few bytes of a connection if it has been forced to use the SSLv3 protocol, however the big catch is it is a Man in the Middle attack, which means a portion of the network must already be compromised allowing someone to monitor, intercept and modify the packets. For example connecting to an unknown Wireless network where somone is filtering the packets.

    The actual threat from POODLE is relatively low especially in our setting as our network is physically secure.

    Once the OpenSSL patch has made its way down to the CentOS repo's we will install it, which is a stopgap meausre to help protect things but will not truly "fix" SSLv3. The only way to fix it is for both Client & Server's to stop using SSLv3 however we cannot fully disable SSLv3 at this time on cPanel servers.

    You 'can' disable SSLv3 in Apache by visiting the Service Configuration > Apache Configuration -> Global Configuration page.

    From here you can copy the current SSL Cipher Suite that they are using, and place i in the custom box. Simply add :-SSLv3 after the -SSLv2 entry in the Cipher suite. This will disable SSLv3 for Port 443. This will NOT disable SSLv3 for other services such as courier/dovecot, cpanel, webmail etc.

    There "are" options within cPanel to be able to disable SSLv3 for these services, however doing so also disables TLS1.0 and 1.1 which will break SSL connections on those services for all browsers except those who support TLS1.2 (many more than just the SSLv3 browsers) so as it stands we do not recommend making any changes to any other SSL protocols except for the Cipher in apache.
     
    action likes this.
  4. SRQWebHost

    SRQWebHost New Member

    So while it is theoretically possible for a MitM attack, the risk is low, especially if I am not transmitting any sensitive information (financial, PHI, etc). Fair enough. Thanks for the explanation. Very helpful.
     
  5. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    Yep, that's correct :)
     
  6. KH-DanielP

    KH-DanielP KH-COO Staff Member

    Just to update this forum thread. cPanel has added additional features within the configuration settings allowing you to disable the actual SSLv3 protocol and not just try to kill off the ciphers.

    https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

    This will give you the full way to disable the SSLv3 Protocol and not kill some of the additional Ciphers.
     
    Chimpie likes this.
  7. action

    action New Member

    I already double check, my vps already supports TLS_FALLBCK_SCSV mechanism which helps prevent a SSL connection from being 'downgraded' from newer protocols such as TLS1.2 to the older SSLv3 protocol

    So I believe I don't really need to disable sslv3, Chrome also already drop drop support for SSLv3 , and firefox will be soon too
     
  8. RMedure

    RMedure New Member

    I ran into a problem with SSLv3 being disabled on my server. I have some users who have VERY old Mac mail client applications that refuse to accept the SSL certificate while SSLv3 is disabled on the server. I struggled with this for a long time, and eventually switched those users over to the latest version of Thunderbird that would be compatible with there old Mac OS; and then found a clue online that the checkbox for TLS in the client app actually means STARTTLS ... so then that works on port 25/26 without any certificate complaints. Hope this helps someone.

    Cheers!
     

Share This Page