Note: for other Odin products, please refer to the hub article: https://kb.cloudblue.com/123153

Information

A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable with curl:

curl -v3 -X HEAD https://www.example.com

If you are NOT vulnerable, your output should look something like this:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Resolution

Disable SSLv3 protocol for PA control panel:

  1. On Management node open /etc/sw-cp-server/conf.d/plesk.conf and add the following parameter next to ssl_certificate_key:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
  2. Restart sw-cp-server

    # /etc/init.d/sw-cp-server stop
    # /etc/init.d/sw-cp-server configtest
    # /etc/init.d/sw-cp-server start
    
  3. Include the following line in the /etc/httpd/conf.d/ssl.conf file:

    SSLProtocol All -SSLv2 -SSLv3
    
  4. Restart the Apache service, e.g.

    #service httpd restart
    

Disable SSLv3 protocol for PA linux service nodes:

  1. On service node open /etc/sw-cp-server/conf.d/agent.conf and add the following parameter next to ssl on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
  2. Restart sw-cp-server

    # /etc/init.d/sw-cp-server stop
    # /etc/init.d/sw-cp-server configtest
    # /etc/init.d/sw-cp-server start
    

Disable SSLv3 protocol on Postfix service nodes:

NOTE: These steps should be performed for all Postfix service nodes.

For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:

sudo postfix restart

You can verify if ssl3 disable using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable, your output should look something like this:

    CONNECTED(00000003)
    139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
    139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE

Disable SSLv3 protocol on Apache web server nodes:

NOTE: These steps should be performed for all Apache service nodes.

Include the following line in the /etc/httpd/conf.d/ssl.conf file:

SSLProtocol All -SSLv2 -SSLv3

And restart the Apache service, e.g.

#service httpd restart

Disable SSLv3 protocol on Windows service nodes:

NOTE: You should install MU #8 first before disabling SSLv3 on Windows. These steps should be performed for all Windows service nodes (IIS/Smartermail).

Windows allows broken SSLv2, SSLv3 and weak ciphers for server-side SSL/TLS connections by default.

Mitigation steps:

  1. Upload attached fixDisableWeakCiphers.reg file onto web server machine

  2. Double click on it, and allow operating system to update registry

  3. Restart computer

For more information about meanings of registry settings used, see http://support.microsoft.com/kb/245030.

Disable SSLv3 protocol on Apache web server nodes for ProFTPD service:

Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:

<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>

Then make sure created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf

Then restart the service daemon:

service xinetd restart

Internal content

We do have sw-cp-server on service nodes as well, in case we disable SSLv3 protocol there:

# cat /etc/sw-cp-server/config  |grep ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Task may fail with error:

The error 'error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' occurred during the connection to the agent at 'https://xxx.xxx.xxx.xxx:8443/agent.cgi'.

It is needed to install #MU 8 to resolve this issue.