• How To: Disable SSLv2 and SSLv3 Poodle attack and TLSv1

Information

A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if you are vulnerable using the following script. For the parameter, specify your server IP:

wget http://kb.odin.com/Attachments/kcs-40007/poodle.zip
unzip poodle.zip
chmod +x poodle.sh
for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/poodle.sh <IP> $i; done

Resolution

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or the server (or both) will deflect a potential attack.

It is strongly recommended you update the openssl package.
The best option is disabling SSLv3 support.

You can use the special scripts below to disable SSLv3 for all services:

  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
  • for Windows - Disables SSLv3 server-wide (WARNING: A server reboot will be required).

See the following instructions on disabling SSLv3 for each service. The same instructions are applicable if your server has already been patched with pci_compliance_resolver.

As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability.

NOTE: If you use Customer and Business Manager, see article #123706

Plesk 11.5 and later

Edit '/etc/sw-cp-server/config'. In the http section, add:

ssl_protocols TLSv1.1 TLSv1.2;

Restart:

sudo service sw-cp-server restart

Plesk 11.0

Edit /usr/local/psa/admin/conf/ssl-conf.sh, adding echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive. The file should look like:

echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'
echo 'ssl.use-sslv3 = "disable"'

Restart:

sudo service sw-cp-server restart

Plesk 9.x and 10.x

The solution for sw-cp-server backend in Plesk 10.x is to modify the list of available CIPHERS in /usr/local/psa/admin/conf/cipher.lst file to look like this, with no line breaks:

ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-DSS-CAMELLIA256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA

Once the /usr/local/psa/admin/conf/cipher.lst file has been modified, restart the backend:

sudo service sw-cp-server restart

Plesk 8.6.0 and older

Parallels Plesk 8.6 uses Apache as the backend for the control panel.

Add the following line to the /usr/local/psa/admin/conf/httpsd.conf file:

SSLProtocol All -SSLv2 -SSLv3

Then restart the control panel:

sudo service psa restart

Apache HTTPD Server

If you are running Apache, change your Apache configuration file (listed below are the default locations):

  • RedHat/CentOS /etc/httpd/conf.d/ssl.conf
  • Debian/Ubuntu /etc/apache2/mods-available/ssl.conf
  • SuSE /etc/apache2/ssl-global.conf

Include or change the following line in your Apache configuration file among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

Run the following command to change the SSL settings in the PCI Compliance template.

mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/server/
cp /usr/local/psa/admin/conf/templates/pci_compliance/server/PCI_compliance.php /usr/local/psa/admin/conf/templates/custom/server/
sed -i 's/SSLProtocol -ALL +SSLv3 +TLSv1/SSLProtocol All -SSLv2 -SSLv3/g' /usr/local/psa/admin/conf/templates/custom/server/PCI_compliance.php

Then restart the Apache webserver:

/usr/local/psa/admin/bin/websrvmng -r

Nginx server

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additionally, for all sites in Plesk 11.0 for Linux:

mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 11.5 for Linux:

mkdir -p /usr/local/psa/admin/conf/templates/custom/
mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 12.0 for Linux:

mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values('disablesslv3', 'true');

Then, reconfigure Apache and Nginx:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Dovecot IMAP/POP3 server

Include the following line in /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3

Restart the service:

sudo service dovecot restart

Courier IMAP

Edit the following files:

/etc/courier-imap/pop3d-ssl

/etc/courier-imap/imapd-ssl

Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:

TLS_PROTOCOL=TLSv1+
TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"

Restart the services:

sudo service courier-imaps restart
sudo service courier-pop3s restart

Postfix SMTP

For 'opportunistic SSL' (where the encryption policy is not enforced and plain is acceptable), you do not need to make any changes. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

If you still want to disable SSLv3 for opportunistic encryption, add/change:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

If 'mandatory SSL' mode is already configured, add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Then restart Postfix:

sudo service postfix restart

You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable (SSLv3 is disabled), your output should look something like:

CONNECTED(00000003)
139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see a normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE

Qmail MTA

Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:

ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

Note: disabling SSLv3 cipher makes it impossibile to use 465 (TLS) in Thunderbird. ProFTPD server

Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:

<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>

Then make sure the created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf

Then restart the service daemon:

service xinetd restart

Microsoft Internet Information Services

There is an official Microsoft Knowledgebase article about disabling particular protocols in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

Click Start, click Run, type regedt32 or regedit, then click OK.

In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server

On the Edit menu, click Add Value.

In the Data Type list, click DWORD.

In the Value Name box, type Enabled then click OK.

Note: If this value is present, double-click to edit it.

Type 00000000 in Binary Editor to set the value of the new key equal to "0".
Click OK. Restart the computer.

    This article was last modified: June 3, 2016, 10:29 a.m.

    0 Comments

    Please log in to leave a comment.

    Add or change tags.

    A comma-separated list of tags.

    Share

    Hacker News

    Top