How to secure cPanel server from SSLV3 Poodle Vulnerability?

On Oct 14th Google published details of an SSL 3.0 vulnerability, which allows an attacker to secure session through a man-in-the-middle attack. Support for SSL 3.0 is available in all popular mail, ftp and web clients, which makes all your clients vulnerable to an exploit based on this bug. Since SSL 3.0 is an 18 year old obsolete technology, we recommend it to be disabled in all cPanel servers.

Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.

for port in 21 443 465 993 995 2083 2087 2078 2096; do echo “Scanning $port”; for cipher in $(openssl ciphers -sslv3 ‘ALL:eNULL’ | sed -e ‘s/:/ /g’); do echo -n | openssl s_client -sslv3 -cipher “$cipher” -connect 203.200.152.139:$port 2>&1 | grep -i “Cipher is”; done; done

In cPanel/WHM, 7 services need to be secured; viz, HTTP, POP3, IMAP, FTP, SMTP, Control Panel, Web Disk. Here is how we disabled SSL 3.0 in our servers:

HTTP – Apache / Nginx

To fix Apache,

In WHM, go to Home >> Service Configuration >> Apache Configuration >> Global Configuration, and set the SSL Cipher Suite to the one below:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

Then go to Home >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+
SSLHonorCipherOrder on

Restart Apache.

To fix Nginx,

Go to Nginx configuration, and change the line

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart Nginx.

SMTP – Exim

In WHM, go to Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to

-ALL:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

Restart Exim.

POP/IMAP – Courier-IMAP / Dovecot

In WHM, go to Home >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to

-ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

FTP – Pure-FTP / Pro-FTP

In WHM, go to Home >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

cPanel Web Services

In WHM, go to Home >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA

cPanel Web Disk

In WHM, go to Home >> Service Configuration >> cPanel Web Disk Configuration, and change TLS/SSL Cipher List to

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:AES256-SHA:AES128-SHA:DES-CBC3-SHA