Tech Tips

Browsers like Firefox and IE reported that SSLv3 is disabled. OpenSSL provides fixes for SSLv3 for major distros at cPanel/WHM server.

The SSL 3.0 vulnerability through a man-in-the-middle attack can allow an attacker to break into a secure session.

The fix is to disable the CBC ciphers in the cPanel/WHM

The below script checks the cPanel and WHM server is vulnerable. The following script needs to be executed in root login. If you receive any cipher output, the cPanel and WHM server may be considered vulnerable.

for port in 21 443 465 993 995 2083 2087 2078 2096; do echo “Scanning $port”; for cipher in $(OpenSSL ciphers -sslv3 ‘ALL:eNULL’ | sed -e ‘s/:/ /g’); do echo -n | OpenSSL s_client -sslv3 -cipher “$cipher” -connect xyz.xyz.xyz.xyz:$port 2>&1 | grep -i “Cipher is”; done; done

Note: Replace the xyz.xyz.xyz.xyz with your server IP

Below are the steps to disable the SSL3.0 in the cPanel/WHM servers

HTTP – Apache

Login to your WHM and click on Service Configuration -> Apache Configuration -> Global Configuration and set the SSL Cipher Suite to one below

ALL:!ADH:!RC4:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

Click on Service Configuration -> Apache Configuration – > Include Editor and add the following in the Pre Main Include

SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256

SSLHonorCipherOrder on

Restart Apache services

HTTP – Nginx

Go to the Nginx configuration and change the following line to

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart Nginx services

SMTP – Exim

Login to your WHM and click on Service Configuration -> Exim Configuration Manager -> Advanced Editor and set the tls_require_ciphers to one below

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

Restart Exim services.

POP/IMAP – Courier-IMAP / Dovecot

Login to your WHM and click on Service Configuration -> Mailserver Configuration and change the SSL Cipher List to the one below

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM:!SSLv2

FTP – Pure-FTP / Pro-FTP

Login to your WHM and click on Service Configuration -> FTP Server Configuration and change the tls Cipher Suite to one below

HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!TLSv1:!SSLv2:!SSLv3

cPanel Web Services

Login to your WHM and click on Service Configuration -> cPanel Web Services Configuration set the TLS/SSL Cipher List to the one below

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH

cPanel Web Disk

Login to your WHM and click on Service Configuration -> cPanel Web Disk Configuration and change TLS/SSL Cipher to the one below

ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH

At Velan, our server support engineers can help you fix the cPanel/WHM server from SSLv3 POODLE vulnerability issue. For details, please visit managed it services for small business