Results 101 to 125 of 132
Thread: New SSL Vulnerability?
-
10-17-2014, 01:16 PM #101Aspiring Evangelist
- Join Date
- Apr 2013
- Location
- Outskirts of Milky Way
- Posts
- 391
The following worked for me on my CPanel servers:
- WHM | Service Configuration | Apache Configuration | Include Editor | Pre Main Include
- Select "All Versions"
- Add the following in the text box:
SSLHonorCipherOrder On
SSLProtocol All -SSLv2 -SSLv3
- save and restart Apache.
If you're using LiteSpeed, update LiteSpeed first.
You can test your server at Qualys: https://www.ssllabs.com/ssltest/index.htmlYour IT Concierge
Server Management, Business-class Web Hosting
Speedy, Secure, Stable Hosting for Developers
-
10-17-2014, 03:43 PM #102Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-17-2014, 03:58 PM #103Web Hosting Master
- Join Date
- Apr 2000
- Location
- Brisbane, Australia
- Posts
- 2,602
http://httpd.apache.org/docs/2.2/mod...norcipherorder
When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead.: CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
: Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
: Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack
-
10-17-2014, 04:12 PM #104Aspiring Evangelist
- Join Date
- Apr 2013
- Location
- Outskirts of Milky Way
- Posts
- 391
Heh, Eva beat me to it. ;^) Just to add on a bit to the discussion, LiteSpeed already follows the server order without the need to add that declaration.
Your IT Concierge
Server Management, Business-class Web Hosting
Speedy, Secure, Stable Hosting for Developers
-
10-17-2014, 04:32 PM #105Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Thanks. I'm still not quite clear: if SSLv3 is explicitly disallowed entirely, the order surely is not relevant as to whether SSLv3 is used.
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-17-2014, 07:37 PM #106Newbie
- Join Date
- May 2008
- Posts
- 14
The order in question is for ciphers, whilst it's the SSLv3 PROTOCOL that is to be disabled. Some ciphers are stronger than others. Stronger ciphers should be used first, so server side ordering is better than client side, as older clients may default to weaker ciphers.
Not really relevant to the POODLE issue, but rather, overall security.
-
10-17-2014, 07:58 PM #107Junior Guru Wannabe
- Join Date
- Nov 2009
- Location
- Des Moines, Iowa
- Posts
- 55
For those of you having issues passing the test, try the following in Apache.
In WHM:
Home »Service Configuration »Apache Configuration »Global Configuration
Code:sslciphersuite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
Code:SSLHonorCipherOrder On SSLProtocol ALL -SSLv2 -SSLv3
-
10-17-2014, 08:19 PM #108Web Hosting Master
- Join Date
- Mar 2009
- Posts
- 3,700
hi,
what is the difference between your method and http://www.webhostingtalk.com/showpo...1&postcount=75 and http://forums.cpanel.net/f185/how-di...bs-423541.html ?
thanx
-
10-17-2014, 08:54 PM #109Junior Guru Wannabe
- Join Date
- Nov 2009
- Location
- Des Moines, Iowa
- Posts
- 55
My explicitly disables SSLv3 and SSLv2 and doesn't just turn on everything else. I also only enabled strong ciphers and didn't just include everything.
Your mileage may vary, but I got errors from SSLlabs using the methods in the other post. The cPanel link looks like it has a good ciphersuite selection, but again you need to do what works best for you.
https://www.ssllabs.com/ssltest/anal...iumhosting.com
-
10-18-2014, 02:43 PM #110Aspiring Evangelist
- Join Date
- Apr 2013
- Location
- Outskirts of Milky Way
- Posts
- 391
Your IT Concierge
Server Management, Business-class Web Hosting
Speedy, Secure, Stable Hosting for Developers
-
10-18-2014, 05:12 PM #111Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
OK - I can see the value of SSLHonorCipherOrder, and people may well be advised to declare it in their include files. But it's also worth being clear that it's about a separate vulnerability.
Thanks for explainingNot as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-19-2014, 03:02 AM #112
If you will use this cPanel SSLv3 Disable code then it will break Java support for SolusVM VNC or any Java based VNC.
1. Java 6u45 Protocol or cipher suite mismatch
2. IE 6 / XP Protocol or cipher suite mismatchDewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
10-19-2014, 04:23 AM #113
-
10-19-2014, 07:27 AM #114Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-19-2014, 07:55 AM #115Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
DemoTiger.com - Buy Demo Videos for your Hosting Company
-
10-19-2014, 08:01 AM #116Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
We was only discussing this some 2 months back on this very forum regarding the usage of sslv3 and whatever else where my words was push to the side by some members why is it only stuff like this that makes people ditch the old crap that a majority is no longer using just to applease a slight minority.
UK Based Proactive Server Management.
Zabbix Enterprise 24/7 Monitoring.
-
10-19-2014, 08:22 AM #117Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
-
10-19-2014, 08:25 AM #118Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-19-2014, 08:26 AM #119
-
10-19-2014, 06:26 PM #120Web Hosting Master
- Join Date
- Mar 2005
- Location
- Ten1/0/2
- Posts
- 2,529
CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
Running Linux since 1.0.8 Kernel!
Providing Internet Services since 1995 and Hosting Since 2004
-
10-19-2014, 06:31 PM #121Web Hosting Master
- Join Date
- Apr 2013
- Location
- At My Desk
- Posts
- 598
After yum update all ours still say SSL 3 INSECURE
Been running a successful independent web hosting company for over 13 years
-
10-19-2014, 07:40 PM #122Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
-
10-19-2014, 08:53 PM #123Web Hosting Master
- Join Date
- Apr 2013
- Location
- At My Desk
- Posts
- 598
-
10-19-2014, 11:11 PM #124Disabled
- Join Date
- Dec 2010
- Location
- 127.0.0.1
- Posts
- 5,732
It depends on what you are using for your site, there's mainly just cPanel fixes in this thread.
- http://www.webhostingtalk.com/showpo...4&postcount=13
- http://www.webhostingtalk.com/showpo...6&postcount=20
- http://www.webhostingtalk.com/showpo...1&postcount=30
- http://www.webhostingtalk.com/showpo...4&postcount=73
- http://www.webhostingtalk.com/showpo...1&postcount=75
- http://www.webhostingtalk.com/showpo...&postcount=107
Tutorial for cPanel:
- http://www.webhostingtalk.com/showth...29#post9267329 (Webmail is 2096)
LiteSpeed was mentioned here:
- http://www.webhostingtalk.com/showpo...5&postcount=19
- http://www.litespeedtech.com/support...48/#post-82592 (Version to fix it)
Protocol is being worked on:
- http://www.webhostingtalk.com/showpo...5&postcount=62
Centos updates:
- http://www.webhostingtalk.com/showpo...5&postcount=90
I think that's everything so far. So I'd check if they can help you.
-
10-20-2014, 12:13 PM #125Junior Guru Wannabe
- Join Date
- Dec 2011
- Posts
- 82
Hello, to be clear,
This vulnerability affects only the domains that use SSL, I mean that they are accessible via https?
Similar Threads
-
SSL/TLS MITM vulnerability (CVE-2014-0224) & Litespeed
By victormeldrew in forum VulnerabilitiesReplies: 12Last Post: 06-10-2014, 09:28 AM -
BREACH SSL vulnerability
By Lev in forum Hosting Security and TechnologyReplies: 2Last Post: 08-07-2013, 12:50 AM -
Help With PCI Scan | SSL/TLS Vulnerability | Plesk
By deoxymono in forum Hosting Security and TechnologyReplies: 8Last Post: 09-22-2012, 01:08 PM -
SSL 2.0 deprecated protocol VULNERABILITY
By ncntnb in forum Hosting Security and TechnologyReplies: 3Last Post: 06-23-2009, 03:37 PM -
New IE Vulnerability
By Burhan in forum Web Hosting LoungeReplies: 15Last Post: 04-08-2006, 12:52 AM