Page 5 of 6 FirstFirst ... 23456 LastLast
Results 101 to 125 of 132
  1. #101
    Join Date
    Apr 2013
    Location
    Outskirts of Milky Way
    Posts
    391
    Quote Originally Posted by vpswing View Post
    Can we run this command on Cpanel servers?
    The following worked for me on my CPanel servers:

    - WHM | Service Configuration | Apache Configuration | Include Editor | Pre Main Include
    - Select "All Versions"
    - Add the following in the text box:

    SSLHonorCipherOrder On
    SSLProtocol All -SSLv2 -SSLv3

    - save and restart Apache.

    If you're using LiteSpeed, update LiteSpeed first.

    You can test your server at Qualys: https://www.ssllabs.com/ssltest/index.html
    Your IT Concierge
    Server Management, Business-class Web Hosting
    Speedy, Secure, Stable Hosting for Developers

  2. #102
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by edigest View Post
    The following worked for me on my CPanel servers:

    - WHM | Service Configuration | Apache Configuration | Include Editor | Pre Main Include
    - Select "All Versions"
    - Add the following in the text box:

    SSLHonorCipherOrder On
    SSLProtocol All -SSLv2 -SSLv3

    - save and restart Apache.

    If you're using LiteSpeed, update LiteSpeed first.

    You can test your server at Qualys: https://www.ssllabs.com/ssltest/index.html
    Out of interest, why do you say that you need the SSLHonorCipherOrder declaration? Can't see why this would make any difference in this case.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  3. #103
    Join Date
    Apr 2000
    Location
    Brisbane, Australia
    Posts
    2,602
    Quote Originally Posted by OakHosting_James View Post
    Out of interest, why do you say that you need the SSLHonorCipherOrder declaration? Can't see why this would make any difference in this case.
    http://httpd.apache.org/docs/2.2/mod...norcipherorder
    When choosing a cipher during an SSLv3 or TLSv1 handshake, normally the client's preference is used. If this directive is enabled, the server's preference will be used instead.
    basically to take away the client preference
    : CentminMod.com Nginx Installer Nginx 1.25, PHP-FPM, MariaDB 10 CentOS (AlmaLinux/Rocky testing)
    : Centmin Mod Latest Beta Nginx HTTP/2 HTTPS & HTTP/3 QUIC HTTPS supports TLS 1.3 via OpenSSL 1.1.1/3.0/3.1 or BoringSSL or QuicTLS OpenSSL
    : Nginx & PHP-FPM Benchmarks: Centmin Mod vs EasyEngine vs Webinoly vs VestaCP vs OneInStack

  4. #104
    Join Date
    Apr 2013
    Location
    Outskirts of Milky Way
    Posts
    391
    Heh, Eva beat me to it. ;^) Just to add on a bit to the discussion, LiteSpeed already follows the server order without the need to add that declaration.
    Your IT Concierge
    Server Management, Business-class Web Hosting
    Speedy, Secure, Stable Hosting for Developers

  5. #105
    Join Date
    Oct 2010
    Posts
    5,079
    Thanks. I'm still not quite clear: if SSLv3 is explicitly disallowed entirely, the order surely is not relevant as to whether SSLv3 is used.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  6. #106
    The order in question is for ciphers, whilst it's the SSLv3 PROTOCOL that is to be disabled. Some ciphers are stronger than others. Stronger ciphers should be used first, so server side ordering is better than client side, as older clients may default to weaker ciphers.

    Not really relevant to the POODLE issue, but rather, overall security.

  7. #107
    Join Date
    Nov 2009
    Location
    Des Moines, Iowa
    Posts
    55
    For those of you having issues passing the test, try the following in Apache.

    In WHM:
    Home »Service Configuration »Apache Configuration »Global Configuration

    Code:
    sslciphersuite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    Home »Service Configuration »Apache Configuration »Include Editor »pre_main_global.conf
    Code:
    SSLHonorCipherOrder On
    SSLProtocol ALL -SSLv2 -SSLv3
    You should score an A at https://www.ssllabs.com/ssltest/analyze.html unless you have certificate issues.

  8. #108
    Join Date
    Mar 2009
    Posts
    3,700
    Quote Originally Posted by LithiumTJ View Post
    For those of you having issues passing the test, try the following in Apache.

    In WHM:
    Home »Service Configuration »Apache Configuration »Global Configuration

    Code:
    sslciphersuite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    Home »Service Configuration »Apache Configuration »Include Editor »pre_main_global.conf
    Code:
    SSLHonorCipherOrder On
    SSLProtocol ALL -SSLv2 -SSLv3
    You should score an A at https://www.ssllabs.com/ssltest/analyze.html unless you have certificate issues.
    hi,

    what is the difference between your method and http://www.webhostingtalk.com/showpo...1&postcount=75 and http://forums.cpanel.net/f185/how-di...bs-423541.html ?

    thanx

  9. #109
    Join Date
    Nov 2009
    Location
    Des Moines, Iowa
    Posts
    55
    Quote Originally Posted by ttgt View Post
    My explicitly disables SSLv3 and SSLv2 and doesn't just turn on everything else. I also only enabled strong ciphers and didn't just include everything.

    Your mileage may vary, but I got errors from SSLlabs using the methods in the other post. The cPanel link looks like it has a good ciphersuite selection, but again you need to do what works best for you.

    https://www.ssllabs.com/ssltest/anal...iumhosting.com

  10. #110
    Join Date
    Apr 2013
    Location
    Outskirts of Milky Way
    Posts
    391
    Quote Originally Posted by OakHosting_James View Post
    Thanks. I'm still not quite clear: if SSLv3 is explicitly disallowed entirely, the order surely is not relevant as to whether SSLv3 is used.
    It isn't directly related to SSLv3. This goes back to the "beast" attack and TLS. 'SSLHonorCipherOrder On' puts TLS 1.2 ciphers first so they can be used by TLS 1.2 clients, then RC4 for TLS 1.0 clients.
    Your IT Concierge
    Server Management, Business-class Web Hosting
    Speedy, Secure, Stable Hosting for Developers

  11. #111
    Join Date
    Oct 2010
    Posts
    5,079
    OK - I can see the value of SSLHonorCipherOrder, and people may well be advised to declare it in their include files. But it's also worth being clear that it's about a separate vulnerability.

    Thanks for explaining
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  12. #112
    If you will use this cPanel SSLv3 Disable code then it will break Java support for SolusVM VNC or any Java based VNC.


    1. Java 6u45 Protocol or cipher suite mismatch
    2. IE 6 / XP Protocol or cipher suite mismatch
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  13. #113
    Quote Originally Posted by lbeachmike View Post
    Here's guidance provided directly through cpanel in response to a ticket I had opened -

    Hi there,

    On October 14, 2014, security experts alerted the general public to a flaw in an obsolete but still-used SSL protocol (SSLv3).

    But still Port 2086 is vulnerable.

  14. #114
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by DewlanceHosting View Post
    But still Port 2086 is vulnerable.
    That's because port 2086 is for http not https, so it's all unencrypted regardless of these settings.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  15. #115
    Quote Originally Posted by OakHosting_James View Post
    That's because port 2086 is for http not https, so it's all unencrypted regardless of these settings.
    lol, I waste many hours to disable SSLv3 on Webmail.

    They listed this port as a Webmail SSL(Maybe this is a website of cPanel Employe)
    Code:
    http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
    2086: Webmail SSL
    Dewlance® Shared/Reseller/Master Reseller - US/UK/EU/FRK/CA - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    DemoTiger.com - Buy Demo Videos for your Hosting Company

  16. #116
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    We was only discussing this some 2 months back on this very forum regarding the usage of sslv3 and whatever else where my words was push to the side by some members why is it only stuff like this that makes people ditch the old crap that a majority is no longer using just to applease a slight minority.
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  17. #117
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by DewlanceHosting View Post
    lol, I waste many hours to disable SSLv3 on Webmail.

    They listed this port as a Webmail SSL(Maybe this is a website of cPanel Employe)
    Code:
    http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
    2086: Webmail SSL
    I believe cPanel's Webmail was 2096.

  18. #118
    Join Date
    Oct 2010
    Posts
    5,079
    Quote Originally Posted by DewlanceHosting View Post
    lol, I waste many hours to disable SSLv3 on Webmail.

    They listed this port as a Webmail SSL(Maybe this is a website of cPanel Employe)
    Code:
    http://thecpaneladmin.com/disabling-support-for-sslv3-on-a-cpanel-server/
    2086: Webmail SSL
    There's much advice in that blog post you linked to that's just plain wrong.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  19. #119
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by Licensecart-Mike View Post
    I believe cPanel's Webmail was 2096.
    Correct. 2095/2096 for webmail. 2086 is the unencrypted port for WHM
    Your one stop shop for decentralization

  20. #120
    Join Date
    Mar 2005
    Location
    Ten1/0/2
    Posts
    2,529
    Quote Originally Posted by lbeachmike View Post
    Any service restarts required following the openssl yum updates?
    Yes -

    Now to identify what needs to be re-started,

    lsof|grep ssl|grep deleted

    Look for the process name and re-start any required services
    CPanel Shared and Reseller Hosting, OpenVZ VPS Hosting. West Coast (LA) Servers and Nodes
    Running Linux since 1.0.8 Kernel!
    Providing Internet Services since 1995 and Hosting Since 2004

  21. #121
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    598
    After yum update all ours still say SSL 3 INSECURE
    Been running a successful independent web hosting company for over 13 years

  22. #122
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by victormeldrew View Post
    After yum update all ours still say SSL 3 INSECURE
    You need to do the edits and then test it on a Poodle checker website.

  23. #123
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    598
    Quote Originally Posted by Licensecart-Mike View Post
    You need to do the edits and then test it on a Poodle checker website.
    Must of missed them are they on this thread ?
    Been running a successful independent web hosting company for over 13 years

  24. #124
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,732
    Quote Originally Posted by victormeldrew View Post
    Must of missed them are they on this thread ?
    It depends on what you are using for your site, there's mainly just cPanel fixes in this thread.

    - http://www.webhostingtalk.com/showpo...4&postcount=13
    - http://www.webhostingtalk.com/showpo...6&postcount=20
    - http://www.webhostingtalk.com/showpo...1&postcount=30
    - http://www.webhostingtalk.com/showpo...4&postcount=73
    - http://www.webhostingtalk.com/showpo...1&postcount=75
    - http://www.webhostingtalk.com/showpo...&postcount=107

    Tutorial for cPanel:
    - http://www.webhostingtalk.com/showth...29#post9267329 (Webmail is 2096)

    LiteSpeed was mentioned here:
    - http://www.webhostingtalk.com/showpo...5&postcount=19
    - http://www.litespeedtech.com/support...48/#post-82592 (Version to fix it)

    Protocol is being worked on:
    - http://www.webhostingtalk.com/showpo...5&postcount=62

    Centos updates:
    - http://www.webhostingtalk.com/showpo...5&postcount=90

    I think that's everything so far. So I'd check if they can help you.

  25. #125
    Join Date
    Dec 2011
    Posts
    82
    Hello, to be clear,
    This vulnerability affects only the domains that use SSL, I mean that they are accessible via https?

Page 5 of 6 FirstFirst ... 23456 LastLast

Similar Threads

  1. SSL/TLS MITM vulnerability (CVE-2014-0224) & Litespeed
    By victormeldrew in forum Vulnerabilities
    Replies: 12
    Last Post: 06-10-2014, 09:28 AM
  2. BREACH SSL vulnerability
    By Lev in forum Hosting Security and Technology
    Replies: 2
    Last Post: 08-07-2013, 12:50 AM
  3. Help With PCI Scan | SSL/TLS Vulnerability | Plesk
    By deoxymono in forum Hosting Security and Technology
    Replies: 8
    Last Post: 09-22-2012, 01:08 PM
  4. SSL 2.0 deprecated protocol VULNERABILITY
    By ncntnb in forum Hosting Security and Technology
    Replies: 3
    Last Post: 06-23-2009, 03:37 PM
  5. New IE Vulnerability
    By Burhan in forum Web Hosting Lounge
    Replies: 15
    Last Post: 04-08-2006, 12:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •