The SSLv3 vulnerability – What do I need to do ? !

It looks like opensource is constantly being hit with vulnerabilities these days ! but yea, as a wise man once said, the more people use and learn on a stuff, the more loopholes you get to find and fix.

So the recent vulnerability is with the SSLv3 protocol which has been tagged as a secure protocol for establishing secure communication between the client and the server until now.

You can check if your services are bound to this vulnerability by checking using this online server tester at :

https://access.redhat.com/labs/poodle/

( you may need a redhat login to get through )

Or you can check using the following one-liner from a shell :

# openssl s_client -connect 'ServerIP or hostname':<'port'> -ssl3

eg,

# openssl s_client -connect xx.xx.xx.xx:443 -ssl3

The above command when initiated should result something like this if its not vulnerable :

=========

CONNECTED(00000003)

xxxxxxxxxx :error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1256:SSL alert number 40

xxxxxxxxxxx :error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

=========

If your service bound on the port is vulnerable to SSLv3 vulnerability, you would see a SSL handshake being established.

You would need to individually disable SSL v3 for each of the services.

To disable SSLv3 for httpd follow the steps given below :

Open your SSL directive file, ( if configured ), ie, the file /etc/httpd/conf.d/ssl.conf or the top-level configuration file, or inside the default virtual host configuration for an address and specify the following :

SSLProtocol All -SSLv2 -SSLv3

The above SSLProtocol directive disables SSLv2 and SSLv3

If you use a WHM/cPanel server, this can be done from WHM as follows :

WHM » Service Configuration » Apache Configuration » Include Editor » Pre Main Include

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

Save the above lines and restart the service.

For the moment, patches are still being released for each of the services.  As of now, consider patching your httpd service as the first step and then move on to other services once fixes are available.

Also, there a lot of suggestions in the forums to disable the SSL ciphers for SSLv3 in cPanel configuration so that all the services would get disabled in using SSLv3. However, if you are on centos 5, the base SSL version would be 0.98.e and there is no other ciphers included in it, ie, there are no TLS protocols along with it , which would mean if you change your cPanel to disable SSLv3, you wont be able to access anything over the browser.

You can change /var/cpanel/conf/cpsrvd/ssl_socket_args and give the following to disable SSLv3 :

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP

As i said, if you are on openssl 0.9.8.e, giving the following would break everything and you would need to give back what was originally in the file /var/cpanel/conf/cpsrvd/ssl_socket_args, ie,

ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

You can check your current openssl version and the available ciphers in your installation using the following commands :

# openssl version -a
# openssl ciphers -v

If you need to upgrade your Openssl to a latest version, check this post here.

So now, as a server admin you should disable SSLv3 ( first and foremost for your httpd service ) for the security of your users.

As a user, you should disable SSLv3 in your browser now to secure yourself when visiting websites which still  support SSLv3.