by

Information
A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if you are vulnerable using the following script. For the parameter, specify your server IP:

# wget http://kb.odin.com/Attachments/kcs-40007/poodle.zip
# unzip poodle.zip
# chmod +x poodle.sh
# for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/poodle.sh $i; done

Resolution
The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or the server (or both) will deflect a potential attack.

Operating system (OS) vendors released the following security advisories to address several recent OpenSSL vulnerabilities:

Debian

RedHat

Ubuntu

CentOS

Please note the updates listed here do not actually fix the POODLE attack – they only use the TLS_FALLBACK_SCSV option to prevent triggering a fallback to SSLv3, and provide fixes for several other vulnerabilities.

It is strongly recommended you update the openssl package.

The best option is disabling SSLv3 support.

You can use the special scripts below to disable SSLv3 for all services:

for Linux – Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
for Windows – Disables SSLv3 server-wide (WARNING: A server reboot will be required).
See the following instructions on disabling SSLv3 for each service. The same instructions are applicable if your server has already been patched with pci_compliance_resolver.

Plesk service
As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability.

NOTE: If you use Customer and Business Manager, see article #123706

Plesk 11.5 and later

Edit ‘/etc/sw-cp-server/config’. In the http section, add:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Restart:

sudo service sw-cp-server restart
Plesk 11.0

Edit /usr/local/psa/admin/conf/ssl-conf.sh, adding echo ‘ssl.use-sslv3 = “disable”‘ after the echo ‘ssl.use-sslv2 = “disable”‘ directive. The file should look like:

echo ‘ssl.engine = “enable”‘
echo ‘ssl.use-sslv2 = “disable”‘
echo ‘ssl.use-sslv3 = “disable”‘
Restart:

sudo service sw-cp-server restart
Plesk 9.x and 10.x

The solution for sw-cp-server backend in Plesk 10.x is to modify the list of available CIPHERS in /usr/local/psa/admin/conf/cipher.lst file to look like this, with no line breaks:

ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-DSS-CAMELLIA256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA
Once the /usr/local/psa/admin/conf/cipher.lst file has been modified, restart the backend:

sudo service sw-cp-server restart
Plesk 8.6.0 and older

Parallels Plesk 8.6 uses Apache as the backend for the control panel.

Add the following line to the /usr/local/psa/admin/conf/httpsd.conf file:

SSLProtocol All -SSLv2 -SSLv3
Then restart the control panel:

sudo service psa restart
Apache HTTPD Server
If you are running Apache, change your Apache configuration file (listed below are the default locations):
RedHat/CentOS /etc/httpd/conf.d/ssl.conf

Debian/Ubuntu /etc/apache2/mods-available/ssl.conf

SuSE /etc/apache2/ssl-global.conf

Include or change the following line in your Apache configuration file among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3
Run the following command to change the SSL settings in the PCI Compliance template.

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/server/
# cp /usr/local/psa/admin/conf/templates/pci_compliance/server/PCI_compliance.php /usr/local/psa/admin/conf/templates/custom/server/
# sed -i ‘s/SSLProtocol -ALL +SSLv3 +TLSv1/SSLProtocol All -SSLv2 -SSLv3/g’ /usr/local/psa/admin/conf/templates/custom/server/PCI_compliance.php
Then restart the Apache webserver:

/usr/local/psa/admin/bin/websrvmng -r
Nginx server

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Additionally, for all sites in Plesk 11.0 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i ‘s/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g’ /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
For all sites in Plesk 11.5 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i ‘s/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g’ /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
# sed -i ‘s/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g’ /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
For all sites in Plesk 12.0 for Linux:

# mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values(‘disablesslv3’, ‘true’);
Then, reconfigure Apache and Nginx:

# /usr/local/psa/admin/bin/httpdmng –reconfigure-all
Reference: Nginx documentation

Dovecot IMAP/POP3 server
Include the following line in /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3
Restart the service:

sudo service dovecot restart
Courier IMAP
Edit the following files:

/etc/courier-imap/pop3d-ssl

/etc/courier-imap/imapd-ssl

Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:

TLS_PROTOCOL=TLSv1+
TLS_CIPHER_LIST=”ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS”
Restart the services:

sudo service courier-imaps restart
sudo service courier-pop3s restart
Postfix SMTP
For ‘opportunistic SSL’ (where the encryption policy is not enforced and plain is acceptable), you do not need to make any changes. Even SSLv2 is better than plain, so if you need to secure your server you should be using ‘mandatory SSL’ mode anyway.

If you still want to disable SSLv3 for opportunistic encryption, add/change:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
If ‘mandatory SSL’ mode is already configured, add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
Then restart Postfix:

sudo service postfix restart
You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect localhost:465 -ssl3
If you are not vulnerable (SSLv3 is disabled), your output should look something like:

CONNECTED(00000003)
139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
If you are vulnerable, you should see a normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE
Qmail MTA
Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:

ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM
Note: disabling SSLv3 cipher makes it impossibile to use 465 (TLS) in Thunderbird.

ProFTPD server
Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:


TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Then make sure the created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf
Then restart the service daemon:

service xinetd restart
Microsoft Internet Information Services
There is an official Microsoft Knowledgebase article about disabling particular protocols in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

Click Start, click Run, type regedt32 or regedit, then click OK.

In Registry Editor, locate the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
On the Edit menu, click Add Value.

In the Data Type list, click DWORD.

In the Value Name box, type Enabled then click OK.

Note: If this value is present, double-click to edit it.

Type 00000000 in Binary Editor to set the value of the new key equal to “0”.

Click OK. Restart the computer.

Leave a Reply

Your email address will not be published. Required fields are marked *