Information
A CVE-2014-3566 vulnerability in SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.
You can check if your are vulnerable using the following script as an parameter specify your server IP:
{!{code}!}czoxODc6XCIjIHdnZXQgaHR0cDovL2tiLnNwLnBhcmFsbGVscy5jb20vQXR0YWNobWVudHMva2NzLTQwMDA3L3Bvb2RsZS5zaAojIGN7WyYqJl19aG1vZCAreCBwb29kbGUuc2gKIyBmb3IgaSBpbiBgZWNobyAyMSA1ODcgNDQzIDQ2NSA3MDgxIDg0NDMgOTkzIDk5NSBgOyBkbyAvYntbJiomXX1pbi9zaCAvcm9vdC9wb29kbGUuc2ggJmx0O0lQJmd0OyAkaTsgZG9uZQpcIjt7WyYqJl19{!{/code}!}
Resolution
The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or in the server (or both) will deflect a potential attack.
You may use special scripts below to disable SSLv3 for all the services:
- for Linux – disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
- for Windows – disable SSlv3 server wide.
See instructions below to disable SSLv3 per service.
Apache HTTPD Server
If you’re running Apache, include the following line in your configuration file /etc/httpd/conf/httpd.conf
among the other SSL directives:
{!{code}!}czozMDpcIlNTTFByb3RvY29sIEFsbCAtU1NMdjIgLVNTTHYzClwiO3tbJiomXX0={!{/code}!}
And restart the server, e.g.
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBhcGFjaGUyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Nginx server
If you’re running Nginx, just include the following line in your configuration among the other SSL directives:
{!{code}!}czozNzpcInNzbF9wcm90b2NvbHMgVExTdjEgVExTdjEuMSBUTFN2MS4yOwpcIjt7WyYqJl19{!{/code}!}
additionally for all the sites in Plesk 11.5 for Linux:
{!{code}!}czo0NTQ6XCIjIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29scyBUTFN2MSBUTFN2e1smKiZdfTEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9uZ2lueFdlYm1haWxQYXJ0e1smKiZdfWlhbC5waHAKIyBzZWQgLWkgXCdzL3NzbF9wcm90b2NvbHMgU1NMdjIgU1NMdjMgVExTdjE7L3NzbF9wcm90b2NvbHMgVExTdjEgVExTe1smKiZdfXYxLjEgVExTdjEuMjsvZ1wnIC91c3IvbG9jYWwvcHNhL2FkbWluL2NvbmYvdGVtcGxhdGVzL2RlZmF1bHQvbmdpbnhEb21haW5WaXJ0e1smKiZdfXVhbEhvc3QucGhwCiMgc2VkIC1pIFwncy9zc2xfcHJvdG9jb2xzIFNTTHYyIFNTTHYzIFRMU3YxOy9zc2xfcHJvdG9jb2xzIFRMU3Yxe1smKiZdfSBUTFN2MS4xIFRMU3YxLjI7L2dcJyAvdXNyL2xvY2FsL3BzYS9hZG1pbi9jb25mL3RlbXBsYXRlcy9kZWZhdWx0L25naW54Vmhvc3Rze1smKiZdfS5waHAKXCI7e1smKiZdfQ=={!{/code}!}
and sites in Plesk 12.0 for Linux:
{!{code}!}czo0Njg6XCIjIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29scyBUTFN2MSBUTFN2e1smKiZdfTEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9uZ2lueFdlYm1haWxQYXJ0e1smKiZdfWlhbC5waHAKIyBzZWQgLWkgXCdzL3NzbF9wcm90b2NvbHMgU1NMdjIgU1NMdjMgVExTdjE7L3NzbF9wcm90b2NvbHMgVExTdjEgVExTe1smKiZdfXYxLjEgVExTdjEuMjsvZ1wnIC91c3IvbG9jYWwvcHNhL2FkbWluL2NvbmYvdGVtcGxhdGVzL2RlZmF1bHQvZG9tYWluL25naW54RG9te1smKiZdfWFpblZpcnR1YWxIb3N0LnBocAojIHNlZCAtaSBcJ3Mvc3NsX3Byb3RvY29scyBTU0x2MiBTU0x2MyBUTFN2MTsvc3NsX3Byb3RvY29se1smKiZdfXMgVExTdjEgVExTdjEuMSBUTFN2MS4yOy9nXCcgL3Vzci9sb2NhbC9wc2EvYWRtaW4vY29uZi90ZW1wbGF0ZXMvZGVmYXVsdC9zZXJ2e1smKiZdfWVyL25naW54Vmhvc3RzLnBocApcIjt7WyYqJl19{!{/code}!}
And reconfigure Apache:
{!{code}!}czo1NDpcIiMgL3Vzci9sb2NhbC9wc2EvYWRtaW4vYmluL2h0dHBkbW5nIC0tcmVjb25maWd1cmUtYWxsClwiO3tbJiomXX0={!{/code}!}
for all the sites in Plesk 10.4, 11.0.9 for Linux add to the Apache configuration file /etc/httpd/conf/httpd.conf
the following string:
{!{code}!}czozMDpcIlNTTFByb3RvY29sIEFsbCAtU1NMdjIgLVNTTHYzClwiO3tbJiomXX0={!{/code}!}
and restart Apache:
{!{code}!}czoyNzpcIiMgL2V0Yy9pbml0LmQvaHR0cGQgcmVzdGFyClwiO3tbJiomXX0={!{/code}!}
Reference: Nginx documentation
Dovecot IMAP/POP3 server
Include the following line in /etc/dovecot/dovecot.conf
{!{code}!}czozMDpcInNzbF9wcm90b2NvbHMgPSAhU1NMdjIgIVNTTHYzClwiO3tbJiomXX0={!{/code}!}
Restart service:
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBkb3ZlY290IHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Courier IMAP
Edit the following files:
/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
Add the following string:
{!{code}!}czo3NTpcIlRMU19DSVBIRVJfTElTVD1cIkFMTDohU1NMdjI6IVNTTHYzOiFBREg6IU5VTEw6IUVYUE9SVDohREVTOiFMT1c6QFNUUkVOe1smKiZdfUdUSFwiClwiO3tbJiomXX0={!{/code}!}
Or just modify existing one and add !SSLv3
into cipher list.
Restart services:
{!{code}!}czo3MTpcIiBzdWRvIHNlcnZpY2UgY291cmllci1pbWFwcyByZXN0YXJ0IHN1ZG8gc2VydmljZSBjb3VyaWVyLXBvcDNzIHJlc3RhcnR7WyYqJl19ClwiO3tbJiomXX0={!{/code}!}
Postfix SMTP
For ‘opportunistic SSL’ (encryption policy not enforced and plain is acceptable too), you don’t need to change anything. Even SSLv2 is better than plain, so if you need to secure your server you should be using ‘mandatory SSL’ mode anyway.
For ‘mandatory SSL’ mode being configured already, just add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf
file:
{!{code}!}czo0NDpcInNtdHBkX3Rsc19tYW5kYXRvcnlfcHJvdG9jb2xzPSFTU0x2MiwhU1NMdjMKXCI7e1smKiZdfQ=={!{/code}!}
and restart Postfix:
{!{code}!}czoyOTpcInN1ZG8gc2VydmljZSBwb3N0Zml4IHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
You can verify if SSLv3 is disabled by using the following command:
{!{code}!}czo0NjpcIm9wZW5zc2wgc19jbGllbnQgLWNvbm5lY3QgbG9jYWxob3N0OjQ2NSAtc3NsMwpcIjt7WyYqJl19{!{/code}!}
If you are not vulnerable (SSLv3 disabled), your output should look something like this:
{!{code}!}czoyNDE6XCJDT05ORUNURUQoMDAwMDAwMDMpCjEzOTgwODYwNjEwNzQ2NDplcnJvcjoxNDA5NDQxMDpTU0wgcm91dGluZXM6U1NMM197WyYqJl19UkVBRF9CWVRFUzpzc2x2MyBhbGVydCBoYW5kc2hha2UgZmFpbHVyZTpzM19wa3QuYzoxMjU3OlNTTCBhbGVydCBudW1iZXIgNDAKMXtbJiomXX0zOTgwODYwNjEwNzQ2NDplcnJvcjoxNDA5RTBFNTpTU0wgcm91dGluZXM6U1NMM19XUklURV9CWVRFUzpzc2wgaGFuZHNoYWtlIGZhe1smKiZdfWlsdXJlOnMzX3BrdC5jOjU5NjoKXCI7e1smKiZdfQ=={!{/code}!}
If you are vulnerable, you should see normal connection output, including the line:
{!{code}!}czo2MDpcIkNPTk5FQ1RFRCgwMDAwMDAwMykKMjIwIG1haWwuZXhhbXBsZS5jb20gRVNNVFAgUG9zdGZpeApET05FClwiO3tbJiomXX0={!{/code}!}
Microsoft Internet Information Services
Official Microsoft knowledge base article about disabling particular protocol in IIS:
How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.
-
Click Start, click Run, type regedt32
or type regedit
, and then click OK.
-
In Registry Editor, locate the following registry key:
{!{code}!}czoxMDQ6XCJIS0VZX0xPQ0FMX01BQ0hJTkVcXFN5c3RlbVxcQ3VycmVudENvbnRyb2xTZXRcXENvbnRyb2xcXFNlY3VyaXR5UHJvdmlkZXJze1smKiZdfVxcU0NIQU5ORUxcXFByb3RvY29sc1xcU1NMIDMuMFxcU2VydmVyClwiO3tbJiomXX0={!{/code}!}
-
On the Edit menu, click Add Value.
-
In the Data Type
list, click DWORD
.
-
In the Value Nam
e box, type Enabled
, and then click OK.
Note: If this value is present, double-click the value to edit its current value.
-
Type 00000000
in Binary Editor to set the value of the new key equal to “0”.
- Click OK. Restart the computer.
As Plesk is using the same SSL engine, sw-cp-server
service should be also configured to protect from SSL vulnerability.
Plesk 11.5 and later
Edit ‘/etc/sw-cp-server/config
’, add
{!{code}!}czozODpcIiBzc2xfcHJvdG9jb2xzIFRMU3YxIFRMU3YxLjEgVExTdjEuMjsKXCI7e1smKiZdfQ=={!{/code}!}
Restart:
{!{code}!}czozNTpcIiBzdWRvIHNlcnZpY2Ugc3ctY3Atc2VydmVyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}
Plesk 11.0
Edit /usr/local/psa/admin/conf/ssl-conf.sh
, add the echo 'ssl.use-sslv3 = "disable"'
after the echo 'ssl.use-sslv2 = "disable"'
directive, so it should looks alike:
{!{code}!}czo5NzpcIiBlY2hvIFwnc3NsLmVuZ2luZSA9IFwiZW5hYmxlXCJcJyBlY2hvIFwnc3NsLnVzZS1zc2x2MiA9IFwiZGlzYWJsZVwiXCdgIGVjaG8gXCd7WyYqJl19c3NsLnVzZS1zc2x2MyA9IFwiZGlzYWJsZVwiXCcKXCI7e1smKiZdfQ=={!{/code}!}
Restart:
{!{code}!}czozNTpcIiBzdWRvIHNlcnZpY2Ugc3ctY3Atc2VydmVyIHJlc3RhcnQKXCI7e1smKiZdfQ=={!{/code}!}