Article ID: 123160, created on Oct 15, 2014, last review on Oct 24, 2015

  • Applies to:
  • Plesk Automation 11.5

Information

A CVE-2014-3566 vulnerability in the SSLv3 protocol was identified by the Google security team. There is an additional whitepaper available from OpenSSL that also describes this vulnerability.

You can check if you are vulnerable using the following script. For the parameter, specify your server IP:

# wget http://kb.odin.com/Attachments/kcs-40007/poodle.zip
# unzip poodle.zip
# chmod +x poodle.sh
# for i in `echo 21 587 443 465 7081 8443 993 995 `; do /bin/sh /root/poodle.sh <IP> $i; done

Resolution

The attack described above requires an SSL 3.0 connection to be established, so disabling the SSL 3.0 protocol in the client or the server (or both) will deflect a potential attack.

Operating system (OS) vendors released the following security advisories to address several recent OpenSSL vulnerabilities:

Debian

RedHat

Ubuntu

CentOS

Please note the updates listed here do not actually fix the POODLE attack - they only use the TLS_FALLBACK_SCSV option to prevent triggering a fallback to SSLv3, and provide fixes for several other vulnerabilities.

It is strongly recommended you update the openssl package.

The best option is disabling SSLv3 support.

You can use the special scripts below to disable SSLv3 for all services:

  • for Linux - Disables Apache, nginx, proftpd, courier-imap, qmail, postfix, dovecot, Plesk server engine (for versions 11.5 and later).
  • for Windows - Disables SSLv3 server-wide (WARNING: A server reboot will be required).

See the following instructions on disabling SSLv3 for each service. The same instructions are applicable if your server has already been patched with pci_compliance_resolver.

Plesk service

As Plesk uses the same SSL engine, the sw-cp-server service should be configured to protect against the SSLv3 vulnerability.

NOTE: If you use Customer and Business Manager, see article #123706

Plesk 11.5 and later

Edit '/etc/sw-cp-server/config'. In the http section, add:

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart:

    sudo service sw-cp-server restart

Plesk 11.0

Edit /usr/local/psa/admin/conf/ssl-conf.sh, adding echo 'ssl.use-sslv3 = "disable"' after the echo 'ssl.use-sslv2 = "disable"' directive. The file should look like:

    echo 'ssl.engine = "enable"'
    echo 'ssl.use-sslv2 = "disable"'
    echo 'ssl.use-sslv3 = "disable"'

Restart:

    sudo service sw-cp-server restart

Plesk 9.x and 10.x

The solution for sw-cp-server backend in Plesk 10.x is to modify the list of available CIPHERS in /usr/local/psa/admin/conf/cipher.lst file to look like this, with no line breaks:

ECDHE-ECDSA-CAMELLIA256-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CAMELLIA256-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-DSS-CAMELLIA256-SHA DHE-DSS-AES256-GCM-SHA384 DHE-DSS-AES256-SHA256 DHE-DSS-AES256-SHA DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-ECDSA-CAMELLIA128-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-CAMELLIA128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA

Once the /usr/local/psa/admin/conf/cipher.lst file has been modified, restart the backend:

    sudo service sw-cp-server restart

Plesk 8.6.0 and older

Parallels Plesk 8.6 uses Apache as the backend for the control panel.

Add the following line to the /usr/local/psa/admin/conf/httpsd.conf file:

SSLProtocol All -SSLv2 -SSLv3

Then restart the control panel:

sudo service psa restart

Apache HTTPD Server

If you are running Apache, change your Apache configuration file (listed below are the default locations):

RedHat/CentOS /etc/httpd/conf.d/ssl.conf

Debian/Ubuntu /etc/apache2/mods-available/ssl.conf

SuSE /etc/apache2/ssl-global.conf

Include or change the following line in your Apache configuration file among the other SSL directives:

SSLProtocol All -SSLv2 -SSLv3

Run the following command to change the SSL settings in the PCI Compliance template.

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/server/
# cp /usr/local/psa/admin/conf/templates/pci_compliance/server/PCI_compliance.php /usr/local/psa/admin/conf/templates/custom/server/
# sed -i 's/SSLProtocol -ALL +SSLv3 +TLSv1/SSLProtocol All -SSLv2 -SSLv3/g' /usr/local/psa/admin/conf/templates/custom/server/PCI_compliance.php

Then restart the Apache webserver:

/usr/local/psa/admin/bin/websrvmng -r

Nginx server

If you are running Nginx, include the following line in your configuration among the other SSL directives in the /etc/nginx/nginx.conf:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Additionally, for all sites in Plesk 11.0 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 11.5 for Linux:

# mkdir -p /usr/local/psa/admin/conf/templates/custom/
# mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
# cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
# cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php
# sed -i 's/ssl_protocols               SSLv2 SSLv3 TLSv1;/ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;/g' /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php

For all sites in Plesk 12.0 for Linux:

# mysqldump -uadmin -p`cat /etc/psa/.psa.shadow` psa > psa_backup.sql
# mysql -uadmin -p`cat /etc/psa/.psa.shadow` psa
mysql> insert into misc values('disablesslv3', 'true');

Then, reconfigure Apache and Nginx:

# /usr/local/psa/admin/bin/httpdmng --reconfigure-all

Reference: Nginx documentation

Dovecot IMAP/POP3 server

Include the following line in /etc/dovecot/dovecot.conf

ssl_protocols = !SSLv2 !SSLv3

Restart the service:

    sudo service dovecot restart

Courier IMAP

Edit the following files:

/etc/courier-imap/pop3d-ssl

/etc/courier-imap/imapd-ssl

Add or modify the TLS_PROTOCOL and TLS_CIPHER_LIST directives so they look like:

TLS_PROTOCOL=TLSv1+
TLS_CIPHER_LIST="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" 

Restart the services:

    sudo service courier-imaps restart
    sudo service courier-pop3s restart

Postfix SMTP

For 'opportunistic SSL' (where the encryption policy is not enforced and plain is acceptable), you do not need to make any changes. Even SSLv2 is better than plain, so if you need to secure your server you should be using 'mandatory SSL' mode anyway.

If you still want to disable SSLv3 for opportunistic encryption, add/change:

smtpd_tls_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3

If 'mandatory SSL' mode is already configured, add/change the smtpd_tls_mandatory_protocols setting. Add the following string to the /etc/postfix/main.cf file:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Then restart Postfix:

sudo service postfix restart

You can verify whether SSLv3 is disabled using the following command:

openssl s_client -connect  localhost:465 -ssl3

If you are not vulnerable (SSLv3 is disabled), your output should look something like:

CONNECTED(00000003)
139808606107464:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
139808606107464:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:

If you are vulnerable, you should see a normal connection output, including the line:

CONNECTED(00000003)
220 mail.example.com ESMTP Postfix
DONE

Qmail MTA

Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:

ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

Note: disabling SSLv3 cipher makes it impossibile to use 465 (TLS) in Thunderbird.

ProFTPD server

Create and edit the /etc/proftpd.d/60-nosslv3.conf file by adding the following lines:

<IfModule mod_tls.c>
TLSProtocol TLSv1
TLSCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
</IfModule>

Then make sure the created configuration file is included in proftpd configuration. If missed, add to /etc/proftpd.conf the following line:

Include /etc/proftpd.d/*.conf

Then restart the service daemon:

service xinetd restart

Microsoft Internet Information Services

There is an official Microsoft Knowledgebase article about disabling particular protocols in IIS: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services

Microsoft Windows Server stores information about different security-enhanced channel protocols that Windows Server supports. This information is stored in the registry key.

  1. Click Start, click Run, type regedt32 or regedit, then click OK.

  2. In Registry Editor, locate the following registry key:

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server
    
  3. On the Edit menu, click Add Value.

  4. In the Data Type list, click DWORD.

  5. In the Value Name box, type Enabled then click OK.

    Note: If this value is present, double-click to edit it.

  6. Type 00000000 in Binary Editor to set the value of the new key equal to "0".

  7. Click OK. Restart the computer.

Search Words

This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C.

poodle

Poodle Vulnerable

need to disable the ssl3 to my server plesk 11.0.9 and centos CentOS 6.3

ssl v3

permission denied ssl v3

caNNOT ACCESS FTP WHEN TLSv1.1 TLSv1.2 ARE ENABLED

error connection refused

plesk control panel login results in error

Subscription suddenly suspended

TLS handshaking SSL_accept() failed

Vulnerable! SSLv3 connection established using SSLv3/AES256-SHA

disable sslv3

need to disable ssl3 on my server

CURLOPT_SSLVERSION

cve-2011-0411

TLSProtocol: directive not allowed in <Global> context on line 7 of '/etc/proftpd.conf'

POODLE

POODLE cipher.lst

poodle attack

nginx ciphers

TLS handshaking: SSL_accept() failed: error:14094416:SSL

SSL IMAP

ssl DH change

CVE-2014-3566

disable ssl3

Beast vulnerability

sslv3

How to Disable SSL 3.0 for PSA :8443 Interface?

Assign certificate to domains

POODLE vulnerability

ssl vulnerability CVE-2013-2566

SSL3.0

33a70544d00d562bbc5b17762c4ed2b3 caea8340e2d186a540518d08602aa065 e0aff7830fa22f92062ee4db78133079

Email subscription for changes to this article
Save as PDF