• Article for your preferred language does not exist. Below is international version of the article.

Article ID: 123167, created on Oct 16, 2014, last review on Sep 20, 2016

  • Applies to:
  • Plesk Automation 11.5

Note: for other Odin products, please refer to the hub article: https://kb.odin.com/123153

Information

A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable with curl:

curl -v3 -X HEAD https://www.example.com

If you are NOT vulnerable, your output should look something like this:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Resolution

Disable SSLv3 protocol for PA control panel:

  1. On Management node open /etc/sw-cp-server/conf.d/plesk.conf and add the following parameter next to ssl_certificate_key:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
  2. Restart sw-cp-server

    # /etc/init.d/sw-cp-server stop
    # /etc/init.d/sw-cp-server configtest
    # /etc/init.d/sw-cp-server start
    
  3. Include the following line in the /etc/httpd/conf.d/ssl.conf file:

    SSLProtocol All -SSLv2 -SSLv3
    
  4. Restart the Apache service, e.g.

    #service httpd restart
    

Disable SSLv3 protocol for PA linux service nodes:

  1. On service node open /etc/sw-cp-server/conf.d/agent.conf and add the following parameter next to ssl on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
  2. Restart sw-cp-server

    # /etc/init.d/sw-cp-server stop
    # /etc/init.d/sw-cp-server configtest
    # /etc/init.d/sw-cp-server start
    

Disable SSLv3 protocol on Postfix service nodes:

NOTE: These steps should be performed for all Postfix service nodes.

For 'opportunistic SSL' (encryption policy not enforced and plain is acceptable too), you don't need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

For 'mandatory SSL' mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:

sudo postfix restart

You can verify if ssl3 disable using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable, your output should look something like this:

    CONNECTED(00000003)
    139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
    139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE

Disable SSLv3 protocol on Apache web server nodes:

NOTE: These steps should be performed for all Apache service nodes.

Include the following line in the /etc/httpd/conf.d/ssl.conf file:

SSLProtocol All -SSLv2 -SSLv3

And restart the Apache service, e.g.

#service httpd restart

Disable SSLv3 protocol on Windows service nodes:

NOTE: You should install MU #8 first before disabling SSLv3 on Windows. These steps should be performed for all Windows service nodes (IIS/Smartermail).

Windows allows broken SSLv2, SSLv3 and weak ciphers for server-side SSL/TLS connections by default.

Mitigation steps:

  1. Upload attached fixDisableWeakCiphers.reg file onto web server machine

  2. Double click on it, and allow operating system to update registry

  3. Restart computer

For more information about meanings of registry settings used, see http://support.microsoft.com/kb/245030.

Disable SSLv3 protocol on Apache web server nodes for ProFTPD service:

Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:

<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>

Then make sure created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf

Then restart the service daemon:

service xinetd restart

Search Words

SSLv3

update to MU#8

I need to disable SSLv2 in plesk

poodle

POODLE

apache server.conf file

CVE-2014-3566

I need to disable SSLv2 in Plesk automation

33a70544d00d562bbc5b17762c4ed2b3 caea8340e2d186a540518d08602aa065 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF