Note: for other Odin products, please refer to the hub article: https://kb.cloudblue.com/123153
Information
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your website is vulnerable with curl:
curl -v3 -X HEAD https://www.example.com
If you are NOT vulnerable, your output should look something like this:
curl: (35) SSL connect error
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
SSL 3.0 connection using ...
Resolution
Disable SSLv3 protocol for PA control panel:
On Management node open
/etc/sw-cp-server/conf.d/plesk.conf
and add the following parameter next tossl_certificate_key
:ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart
sw-cp-server
# /etc/init.d/sw-cp-server stop # /etc/init.d/sw-cp-server configtest # /etc/init.d/sw-cp-server start
Include the following line in the
/etc/httpd/conf.d/ssl.conf
file:SSLProtocol All -SSLv2 -SSLv3
Restart the Apache service, e.g.
#service httpd restart
Disable SSLv3 protocol for PA linux service nodes:
On service node open
/etc/sw-cp-server/conf.d/agent.conf
and add the following parameter next tossl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart
sw-cp-server
# /etc/init.d/sw-cp-server stop # /etc/init.d/sw-cp-server configtest # /etc/init.d/sw-cp-server start
Disable SSLv3 protocol on Postfix service nodes:
NOTE: These steps should be performed for all Postfix service nodes.
For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.
For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
and restart Postfix:
sudo postfix restart
You can verify if ssl3 disable using the following command:
openssl s_client -connect localhost:465 -ssl3
If you are not vulnerable, your output should look something like this:
CONNECTED(00000003)
139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
If you are vulnerable, you should see normal connection output, including the line:
CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE
Disable SSLv3 protocol on Apache web server nodes:
NOTE: These steps should be performed for all Apache service nodes.
Include the following line in the /etc/httpd/conf.d/ssl.conf
file:
SSLProtocol All -SSLv2 -SSLv3
And restart the Apache service, e.g.
#service httpd restart
Disable SSLv3 protocol on Windows service nodes:
NOTE: You should install MU #8 first before disabling SSLv3 on Windows. These steps should be performed for all Windows service nodes (IIS/Smartermail).
Windows allows broken SSLv2, SSLv3 and weak ciphers for server-side SSL/TLS connections by default.
Mitigation steps:
Upload attached fixDisableWeakCiphers.reg file onto web server machine
Double click on it, and allow operating system to update registry
- Restart computer
For more information about meanings of registry settings used, see http://support.microsoft.com/kb/245030.
Disable SSLv3 protocol on Apache web server nodes for ProFTPD service:
Create and edit the /etc/proftpd.d/60-nosslv3.conf
file by adding the following lines:
<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>
Then make sure created configuration file is included in proftpd
configuration. If missed, add to /etc/proftpd.conf
the following line:
Include /etc/proftpd.d/*.conf
Then restart the service daemon:
service xinetd restart
Internal content
We do have sw-cp-server
on service nodes as well, in case we disable SSLv3 protocol there:
# cat /etc/sw-cp-server/config |grep ssl
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Task may fail with error:
The error 'error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure' occurred during the connection to the agent at 'https://xxx.xxx.xxx.xxx:8443/agent.cgi'.
It is needed to install #MU 8 to resolve this issue.