How to secure Plesk servers from SSL V3 Poodle Vulnerability?

A CVE-2014-3566 vulnerability in SSLv3 protocol named Poodle was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if your website is vulnerable with curl:

curl -v3 -X HEAD https://www.example.com

If you are NOT vulnerable, your output should look something like this:

curl: (35) SSL connect error

If you ARE vulnerable, you will see normal connection outputs, potentially including the line:

SSL 3.0 connection using ...

Resolution

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will deflect a potential poodle attack.

Apache HTTPD Server

If you’re running Apache, include the following line in your configuration among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

And restart the server, e.g.

sudo service apache2 restart

Nginx server

If you’re running Nginx, just include the following line in your configuration among the other SSL directives:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

additionally for all the sites in Plesk for Linux:

# sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php # sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxDomainVirtualHost.php # sed -i 's/ssl_protocols SSLv2 SSLv3 TLSv1;/ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/default/nginxVhosts.php

And reconfigure Apache:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Reference: Nginx documentation

Dovecot IMAP/POP3 server

Include the following line in /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3

Restart service:

sudo service dovecot restart

Courier IMAP

Edit the following files:

/etc/courier-imap/pop3d-ssl

/etc/courier-imap/imapd-ssl

Add the following string:

TLS_CIPHER_LIST="ALL:!SSLv2:!SSLv3:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"

Or just modify existing one and add !SSLv3 into cipher list.

Restart services:

    sudo service courier-imaps restart
    sudo service courier-pop3s restart

Postfix SMTP

For ‘opportunistic SSL’ (encryption policy not enforced and plain is acceptable too), you don’t need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using ‘mandatory SSL’ mode anyway.

For ‘mandatory SSL’ mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

and restart Postfix:

sudo service postfix restart

You can verify if SSLv3 is disabled by using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable (SSLv3 disabled), your output should look something like this:

CONNECTED(00000003) 139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40 139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE

Microsoft Internet Information Services

Official Microsoft knowledge base article about disabling particular protocol in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

  1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key:
    HKEY_LOCAL_MACHINE->System->CurrentControlSet->ControlSecurityProviders->SCHANNELProtocols->SSL 3.0Server
  3. On the Edit menu, click Add Value.
  4. In the Data Type list, click DWORD.
  5. In the Value Name box, type Enabled, and then click OK.Note: If this value is present, double-click the value to edit its current value.
  6. Type 00000000 in Binary Editor to set the value of the new key equal to “0”.
  7. Click OK. Restart the computer.

As Plesk is using the same SSL engine, sw-cp-server service should be also configured to protect from SSL vulnerability.

Plesk 11.5 and later

Edit ‘/etc/sw-cp-server/config‘, add

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart:

    sudo service sw-cp-server restart

Plesk 11.0

Edit /usr/local/psa/admin/conf/ssl-conf.sh, add the echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive, so it should looks alike:

    echo 'ssl.engine = "enable"'
    echo 'ssl.use-sslv2 = "disable"'`
    echo 'ssl.use-sslv3 = "disable"'

Restart:

    sudo service sw-cp-server restart

Reference: Plesk Knowledgebase

Proper patching of the servers will protect your  Plesk servers from Poodle vulnerability.

One thought on “How to secure Plesk servers from SSL V3 Poodle Vulnerability?

  • March 27, 2015 at 12:41 pm
    Permalink

    Spot on with this write-up, I honestly believe that this website needs a lot more attention. I’ll probably be back again to read more,
    thanks for the advice!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.
%d bloggers like this: