Article ID: 123173, created on Oct 16, 2014, last review on May 11, 2015

  • Applies to:
  • H-Sphere 3.6.3

Symptoms

A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable with curl:

curl -v3 -X HEAD https://www.example.com

If you are NOT vulnerable, your output should look something like this:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Resolution

Web servers:

  1. Create custom templates for Apache and/or Apache2 according to the first step of the following KB article:

    How to generate custom HTTPD config

  2. Add SSLProtocol All -SSLv2 -SSLv3 string in the appropriate section in the generated custom configuration template on every web server:

    For Apache2: /hsphere/local/config/httpd2/httpd.conf.tmpl.custom

    <IfDefine SSL>
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl
    
    
    SSLProtocol             All -SSLv2 -SSLv3
    
    SSLPassPhraseDialog     builtin
    SSLCipherSuite          HIGH:MEDIUM:!LOW:!aNULL:!SSLv2
    SSLSessionCache         dbm:/hsphere/local/var/httpd/logs/ssl_scache
    SSLSessionCacheTimeout  300
    SSLMutex                file:/hsphere/local/var/httpd/logs/ssl_mutex
    SSLRandomSeed           startup builtin
    SSLRandomSeed           connect builtin
    CustomLog               /hsphere/local/var/httpd/logs/ssl_request_log \
                            "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    
    </IfDefine>

    For Apache: /hsphere/local/config/httpd/httpd.conf.tmpl.custom

    <IfModule mod_ssl.c>
       AddType application/x-x509-ca-cert .crt
       AddType application/x-pkcs7-crl    .crl
    
       SSLProtocol             All -SSLv2 -SSLv3
    
       SSLPassPhraseDialog  builtin
       SSLCipherSuite       HIGH:MEDIUM:!LOW:!aNULL:!SSLv2
       SSLSessionCache         dbm:/hsphere/local/var/httpd/logs/ssl_scache
       SSLSessionCacheTimeout  300
       SSLMutex  file:/hsphere/local/var/httpd/logs/ssl_mutex
       SSLRandomSeed startup builtin
       SSLRandomSeed connect builtin
       SSLLog      /hsphere/local/var/httpd/logs/ssl_engine_log
       SSLLogLevel info
    </IfModule>
    
  3. Apply changes to every web server according to step three in the How to generate custom HTTPD config KB article.

H-sphere Control Panel:

  1. Generate custom configuration template:

    1.1 Download H-Sphere updater:

    # wget http://download.hsphere.parallels.com/shiv/HS/releases/U36.0/U36.0P3/U36.0P3   
    

    1.2 Run command

    ./U36.0P3 hspackages ctemplates=httpdcp
    

    Custom template will be placed into the following locations:

     /hsphere/local/home/cpanel/apache/conf/httpd.conf.tmpl.custom
    

    Edit generated custom configuration template and replace

    SSLProtocol             all -SSLv2
    

    with

    SSLProtocol             All -SSLv2 -SSLv3
    

    To apply changes log into the H-sphere CP and run update of the CP server.

    When update process is completed, restart H-sphere service:

    service httpdcp restart
    

Mail Servers:

On every Mail server change the following lines in appropriate files:

In the /hsphere/local/var/vpopmail/etc/mail-ssl.conf replace

        PROTOCOLS=SSLv3,TLSv1

with

        PROTOCOLS=TLSv1

In the /home/hsphere/local/config/mail/imap/etc/imapd-ssl replace

    TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=SSL3

with

    TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1  

In the /hsphere/local/config/mail/imap/etc/imapd-ssl replace

    TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=SSL3

with

    TLS_PROTOCOL=TLS1
TLS_STARTTLS_PROTOCOL=TLS1

To apply changes reboot the server.

Microsoft Internet Information Services

Official Microsoft knowledge base article about disabling particular protocol in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    
  3. On the Edit menu, click Add Value.

  4. In the Data Type list, click DWORD.

  5. In the Value Name box, type Enabled, and then click OK.

    Note: If this value is present, double-click the value to edit its current value.

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".

  7. Click OK. Restart the computer.

Search Words

SSLv3

POODLE

CVE-2014-3566

6b908665c0d1eca5bdd0141a32fd712a 6311ae17c1ee52b36e68aaf4ad066387 f213b9fa8759d57bee5d547445806fe7 2e39a5e5b1423cc126cf735bac076008

Email subscription for changes to this article
Save as PDF