QUESTIONS CENTRECategory: apacheHow to fix SSL V3 Vulnerability (POODLE Vulnerability) in cPanel
ZENHOST Support Staff asked 9 years ago

On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).

The “POODLE” (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to “fallback” to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone’s Web-based email account, for example.

It’s important to know that this flaw is most likely present in all servers and has nothing to do with the cPanel software. However, servers that currently function only because of SSL 3.0 fallback should be updated.

To accomplish this, please follow these steps. This does not appear to affect SSH and FTP services.

For Apache:

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) Add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

 

4) Press the Update button and rebuild your Apache configuration.

This will disable SSLv3.0 on your server running Apache.

For LiteSpeed:

LiteSpeed has released an update to version 4.2.17. You can force a reinstall by running this command:

# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.17

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) Add the following in the text box that appears:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1

4) Press the Update button and rebuild your Apache configuration.

This will disable SSLv3.0 on your server running LiteSpeed.

====

For cpsrvd and cpdavd:

1. Create the following files if they do not already exist:

/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args

2. Add the following to those files:

SSL_version=TLSv1

Complex protocol strings work for cpdavd for all builds. For cpsrvd, only 11.46 supports complex protocol strings such as “SSL_version=SSLv23:!SSLv2:!SSLv3″, so 11.44 machines would need to enable TLSv1 support only until a fix has been released for case 124993 that is open about this issue. Of note, enabling TLSv1 support only disables TLSv1.1 and TLSv1.2 support.

For Dovecot/Courier:

1) Go to WHM => Service Configuration => Mailserver Configuration.
2) Change the SSL Cipher List to:

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

For Exim:

1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor
2) Change the following in tls_require_ciphers:

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

Please note that for both Dovecot/Courier and Exim above, the suggested cipher lists do NOT disable all SSLv3 support, but only disable the ciphers that use CBC, so some SSLv3 support is still available.

It is possible to completely disable SSLv3 support on these service ports with the following cipher list:

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

Completely disabling SSLv3 ciphers on the above service ports greatly limits browser compatibility and prevents connections from all but a few modern browsers such as Google Chrome.

 

And do verify your website here once done

https://www.tinfoilsecurity.com/poodle