Symptoms
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your website is vulnerable with curl:
curl -v3 -X HEAD https://www.example.com
If you are NOT vulnerable, your output should look something like this:
curl: (35) SSL connect error
If you ARE vulnerable, you will see normal connection outputs, potentially including the line:
SSL 3.0 connection using ...
Resolution
Web servers:
Create custom templates for Apache and/or Apache2 according to the first step of the following KB article:
Add
SSLProtocol All -SSLv2 -SSLv3string in the appropriate section in the generated custom configuration template on every web server:For Apache2:
/hsphere/local/config/httpd2/httpd.conf.tmpl.custom<IfDefine SSL> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
</IfDefine>SSLProtocol All -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLCipherSuite HIGH:MEDIUM:!LOW:!aNULL:!SSLv2 SSLSessionCache dbm:/hsphere/local/var/httpd/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/hsphere/local/var/httpd/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin CustomLog /hsphere/local/var/httpd/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"For Apache:
/hsphere/local/config/httpd/httpd.conf.tmpl.custom<IfModule mod_ssl.c> AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLProtocol All -SSLv2 -SSLv3 SSLPassPhraseDialog builtin SSLCipherSuite HIGH:MEDIUM:!LOW:!aNULL:!SSLv2 SSLSessionCache dbm:/hsphere/local/var/httpd/logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/hsphere/local/var/httpd/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /hsphere/local/var/httpd/logs/ssl_engine_log SSLLogLevel info </IfModule>- Apply changes to every web server according to step three in the How to generate custom HTTPD config KB article.
H-sphere Control Panel:
Generate custom configuration template:
1.1 Download H-Sphere updater:
# wget http://download.hsphere.parallels.com/shiv/HS/releases/U36.0/U36.0P3/U36.0P31.2 Run command
./U36.0P3 hspackages ctemplates=httpdcpCustom template will be placed into the following locations:
/hsphere/local/home/cpanel/apache/conf/httpd.conf.tmpl.customEdit generated custom configuration template and replace
SSLProtocol all -SSLv2with
SSLProtocol All -SSLv2 -SSLv3To apply changes log into the H-sphere CP and run update of the CP server.
When update process is completed, restart H-sphere service:
service httpdcp restart
Mail Servers:
On every Mail server change the following lines in appropriate files:
In the /hsphere/local/var/vpopmail/etc/mail-ssl.conf replace
PROTOCOLS=SSLv3,TLSv1
with
PROTOCOLS=TLSv1
In the /home/hsphere/local/config/mail/imap/etc/imapd-ssl replace
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=SSL3
with
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
In the /hsphere/local/config/mail/imap/etc/imapd-ssl replace
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=SSL3
with
TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1
To apply changes reboot the server.
Microsoft Internet Information Services
Official Microsoft knowledge base article about disabling particular protocol in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.
Click Start, click Run, type
regedt32or typeregedit, and then click OK.In Registry Editor, locate the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\ServerOn the Edit menu, click Add Value.
In the
Data Typelist, clickDWORD.In the
Value Name box, typeEnabled, and then click OK.Note: If this value is present, double-click the value to edit its current value.
Type
00000000in Binary Editor to set the value of the new key equal to "0".- Click OK. Restart the computer.