SSL POODLE / SSLv3 bug

[IgorG]

Will Parallels be releasing an official patch / micro update for this issue, or do we all need to perform the edits as described here?

Please look at this KB article - http://kb.odin.com/en/123160

 

[Fritz MichaelG]

Please look at this KB article - http://kb.odin.com/en/123160

This article says:

If you're running Apache, include the following line in your configuration among the other SSL directives:

But it doesn't say where to find the configuration file (since the article applies to both Linux and Windows, I presume).

Where do I find the config file for Apache under Linux?

 

[IgorG]

Where do I find the config file for Apache under Linux?

Find it here - http://kb.odin.com/en/111283

 

[Fritz MichaelG]

Find it here - http://kb.odin.com/en/111283

I found it. It's under /etc/apache2/mods-available/ssl.conf
The article you linked does not mention the location of the global SSL config for Apache. However, it does mention that the config files (under Debian etc.) are somewhere inside /etc/apache2

 

[ThomasR]

IgorG, in http://kb.odin.com/en/123160 there is no information about securing the Plesk Web Server itself. Why?

I patched it by adding

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

to the /etc/sw-cp-server/conf.d/plesk.conf file and restarting the Plesk Web Server afterwards:

/etc/init.d/sw-cp-server restart

Is this correct?

 

[gbotica]

IgorG, in http://kb.odin.com/en/123160 there is no information about securing the Plesk Web Server itself. Why?

I patched it by adding

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

to the /etc/sw-cp-server/conf.d/plesk.conf file and restarting the Plesk Web Server afterwards:

/etc/init.d/sw-cp-server restart

Is this correct?

I would also appreciate a little more clarity on implementing this fix, including locations of all the relevant files, so we can be sure that config rebuilds or micro-updates don't overwrite the changes. Also, clarification on how to ensure that Plesk Panel itself is "fixed".

 

[ThomasR]

Does anyone knows how to patch the Plesk Web Server for Plesk 11.0? My previous post only works for Plesk 11.5 or newer.

 

[tech01]

Thanks ThomasR the Plesk control panel was not protected and is not covered under any other suggested fixes.. your suggestion successfully protect the latest version of Plesk as of this post. So I thank you, sorry I do not know how to fix for 11.0

 

[ThomasR]

Update: http://kb.odin.com/en/123160 now (finally) provides a solution for both Plesk 11.0 and 11.5/12 servers:

Plesk 11.5 and later
Edit '/etc/sw-cp-server/config', add

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart:

sudo service sw-cp-server restart

Plesk 11.0
Edit /usr/local/psa/admin/conf/ssl-conf.sh, add the echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive, so it should looks alike:

echo 'ssl.engine = "enable"'
echo 'ssl.use-sslv2 = "disable"'`
echo 'ssl.use-sslv3 = "disable"'

Restart:

sudo service sw-cp-server restart

 

[Bobbbb]

Will Parallels be releasing an official patch / micro update for this issue, or do we all need to perform the edits as described here?

Please look at this KB article - http://kb.odin.com/en/123160

I would still like to know if, at some point in the near future, Parallels will be releasing a patch/update for this issue, making the necessary changes to the various config files.

 

[gbotica]

The paths for the NGINX configuration .php files in the KB article are still incorrect (for Plesk 12 anyway).

/usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/nginxVhosts.php​

They are:

/usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/default/server/nginxVhosts.php​

It's also a little surprising that Parallels are recommending editing the 'default' templates. Is it not possible that a future micro-update that does not include a fix for POODLE might over write these changes?

I have followed the advice given in this thread and copied to a "custom" directory, and edited as suggested.

/usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
/usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php
/usr/local/psa/admin/conf/templates/custom/server/nginxVhosts.php​

It would be good to get official notification from Parallels when this fix is implemented in the "default" templates, so we can remove the "custom" ones.

Apart from these differences, I have followed the instructions as per KB 123160 and my servers now check out fine and are not vulnerable to POODLE. I've implemented the changes for APACHE, NGINX, POSTFIX and SW-CP-SERVER (I don't run DOVECOT or COURIER).

Thanks to all contributors to this thread, and Parallels for their assistance and guidance.

 

[IgorG]

We have updated KB article http://kb.odin.com/en/123160 regarding sw-cp-server.

 

[pleskpanel]

Igor, can we expect to see an upcoming MU to address this in the near future? If it's just a few days away (or in an upcoming MU) it would be great to know.

 

[Dutchie]

I'm following the KB but am unable to fix 8443 and 465 on Plesk 9...
Any suggestions?

 

[cmaxwell]

After applying the recommend changes to Courier IMAP/POP files users who access mail via SSL are unable to connect to the server - the following errors occur in the mail client:

There may be a problem with the mail server or network. Verify the settings for account or try again. The server returned the error: The connection to the server “www.domain.com” on port 993 timed out.

The server shows these errors in the maillog file:

Oct 18 07:51:02 hostname courier-pop3s: couriertls: accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Oct 18 07:51:12 hostname courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Has anyone else seen this and do you know how to fix this?

 

[Bobbbb]

After applying the recommend changes to Courier IMAP/POP files users who access mail via SSL are unable to connect to the server - the following errors occur in the mail client:

There may be a problem with the mail server or network. Verify the settings for account or try again. The server returned the error: The connection to the server “www.domain.com” on port 993 timed out.

The server shows these errors in the maillog file:

Oct 18 07:51:02 hostname courier-pop3s: couriertls: accept: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Oct 18 07:51:12 hostname courier-imaps: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

Has anyone else seen this and do you know how to fix this?

Which e-mail client and version is being used?

 

[Bobbbb]

Igor, can we expect to see an upcoming MU to address this in the near future? If it's just a few days away (or in an upcoming MU) it would be great to know.

I would also like to know.

 

[cmaxwell]

Which e-mail client and version is being used?

The mail client is Mail on iOS 7 and also Mail on the Mac (don't know specific version on Mac).

Anyone else tried secure POP/IMAP after applying the recommended changes?

 

[borisr]

@Dutchie. I have the same problem. I followed the same kb and my port 465 is still marked as vulnerable. Have you found a solution ?

 

[J.Wick]

I'm still having issues after running the scripts to patch everything with NGINX on Port 7081

xxx.xxx.97.234:7081 - Vulnerable! SSLv3 connection established using SSLv3/DHE-RSA-AES256-SHA

I've tried modifying the nginx.conf file but still shows vulnerable.

Anyone have any ideas? Pulling my hair on this one.