Poodle (What a stoopid name)

Hey guys, has anyone already read through the recommendations and and knows how to do this in Nodeworx/Siteworx?

Hi mdeinhardt

I’m sorry, I have not but I will do.

I’m sure you know, but you can disable or not set ssl3 from your ciphers, and I know you’ve read my post for setting ciphers for new siteworx accounts.

If your running latest OpenSSL, then I’m pretty sure you can use tls 1.2, but there are still some xp computers which use old IE, where they need ssl3

Many thanks

John

Thanks John, will have a look at the post you mentioned and see if I can figure it out.

Cheers,

Michael

Here is a little help to disable SSLv3: https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837

Hi Michael and dss

This now forms part of the quals test, so you may want to update your ciphers if you have not done so. Our ciphers mitigated but to be honest, I most likely will at some point stop SSL3.

Many thanks

John

Guys, is there a clear step by step guide on how to fix this issue on both existing and new sites without disabling SSLv3 within apache on each site individually? I saw the following: http://forums.interworx.com/threads/5116-Custom-SSL-CipherSuite

But I am not sure if this resolves the issue on existing sites, keeps SSLv3 active and where exactly I should get the /usr/local/bin/custom_cipher_suite.sh script. Everything on that forum post / script appears to be commented out so I assume none of it would run if that is indeed the script. Any help would be appreciated as I have 10 servers to fix this on.

Hi ctalavera

If you have SNI turned on, your already mitigated as SNI does not use SSL.

If you want to make sure, edit /etc/httpd/http.conf.d/SSL.conf and disable SSL3, but sorry, I could wrong on the file location, but it is either httpd or httpd.conf.

You will have to manual change any static ip SSL already setup, but using custom SSL cipher suite hook, any new static ip SSL would be changed to these ciphers.

Have a look at this post, which should help and you have to manually create the file using your favourite editor.

http://forums.interworx.com/showpost.php?p=25612

Lastly, you may also want to adjust your cipher for email, /var/qmail/control/tlssrvcipher I think from memory

I hope that helps a little

Many thanks

John

To disable SSLv3 on InterWorx you just need to edit the vhost file:

nano /etc/httpd/conf.d/vhost_domain-name.conf

eg: vhost_licensecart.com.conf

Find:

<IfModule mod_interworx_settings.c>

Above it add:

SSLProtocol All -SSLv2 -SSLv3

Job done check it on: https://www.tinfoilsecurity.com/poodle

Thank you Michael!

What is your SSLCipherSuite setting in your vhost file?

[QUOTE=dss;26553]Thank you Michael!

What is your SSLCipherSuite setting in your vhost file?[/QUOTE]

Sorry for the late reply I use this mate:


SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Thank you, I am use the same ! :slight_smile:

I found a small problem in your solution. If you change the SSL certificate after disable SSLv3, the additional setting will be reseted, have to modify the config file again. But it works, of course!

[QUOTE=dss;26563]Thank you, I am use the same ! :slight_smile:

I found a small problem in your solution. If you change the SSL certificate after disable SSLv3, the additional setting will be reseted, have to modify the config file again. But it works, of course![/QUOTE]

Yeah haha I had to erm fix mine :stuck_out_tongue: and you’re welcome.

Hi

Just a quick post about poodle, which has been changed slightly to allow an attack on TLS.

There’s an easy fix which should fix it, which I’m sure will be coming out very soon apparently.

Many thanks

John

[QUOTE=d2d4j;26721]Hi

Just a quick post about poodle, which has been changed slightly to allow an attack on TLS.

There’s an easy fix which should fix it, which I’m sure will be coming out very soon apparently.

Many thanks

John[/QUOTE]

Haha I love SSL mate :slight_smile:

You might not be effected as we’re not: https://www.ssllabs.com/ssltest/analyze.html?d=licensecart.com

[TABLE]
[TR]
[TD]POODLE (SSLv3)[/TD]
[TD]No, SSL 3 not supported (more info)[/TD]
[/TR]
[TR]
[TD]POODLE (TLS)[/TD]
[TD]No (more info)[/TD]
[/TR]
[/TABLE]

There’s a new SSL/TLS problem being announced today and it’s likely to
affect some of the most popular web sites in the world, owing largely
to the popularity of F5 load balancers and the fact that these devices
are impacted. There are other devices known to be affected, and it’s
possible that the same flaw is present in some SSL/TLS stacks. We will
learn more in the following days.

If you want to stop reading here, take these steps: 1) check your web
site using the SSL Labs test [1]; 2) if vulnerable, apply the patch
provided by your vendor. As problems go, this one should be easy to fix.

[1] SSL Labs Server Test
https://www.ssllabs.com/ssltest/


Bulletproof TLS is a periodic newsletter providing the latest news,
summaries and commentaries on SSL/TLS and Internet PKI. It’s designed as
a complementary service to our book Bulletproof SSL and TLS:

https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

Today’s announcement is actually about the POODLE attack (disclosed two
months ago, in October) repurposed to attack TLS. If you recall, SSL 3
doesn’t require its padding to be in any particular format (except for
the last byte, the length), opening itself to attacks by active network
attackers. However, even though TLS is very strict about how its padding
is formatted, it turns out that some TLS implementations omit to check
the padding structure after decryption. Such implementations are
vulnerable to the POODLE attack even with TLS.

The impact of this problem is similar to that of POODLE, with the attack
being slightly easier to execute.no need to downgrade modern clients
down to SSL 3 first, TLS 1.2 will do just fine. The main target are
browsers, because the attacker must inject malicious JavaScript to
initiate the attack. A successful attack will use about 256 requests to
uncover one cookie character, or only 4096 requests for a 16-character
cookie. This makes the attack quite practical.

According to our most recent SSL Pulse scan (which hasn’t been published
yet), about 10% of the servers are vulnerable to the POODLE attack
against TLS.

I’ll keep my blog post updated as new information is available:

http://blog.ivanristic.com/2014/12/poodle-bites-tls.html

Hi mike

Many thanks for posting in full, I cannot do that from tapatalk sorry.

I’m pretty sure there will be more and more vulnerabilities found in SSL as time goes on.

Many thanks

John

[QUOTE=d2d4j;26723]Hi mike

Many thanks for posting in full, I cannot do that from tapatalk sorry.

I’m pretty sure there will be more and more vulnerabilities found in SSL as time goes on.

Many thanks

John[/QUOTE]

Hello John mate,

You’re welcome I had a email from Ivan or someone from SSLlabs :P.

Kind regards,
Mike.

Seeting up new servers I had to dig up this information again and I also remembered the post John linked to: http://forums.interworx.com/threads/5116-Custom-SSL-CipherSuite

I’ve been following Michael’s knowlegdebase article from here https://licensecart.com/billing/plugin/support_manager/knowledgebase/view/41/a-grade-ssl-security/2/ (and always do get A+ on SSL Labs)
Does anyone know, how to extend that script (I am no programmer and would only f*** things up) and incorporate the changes described in Michael’s article into the event hook script?
I.e. add

Add the following under <VirtualHost your-server-ip:443>:
Header add Strict-Transport-Security “max-age=63072000;”

Or if you have a wildcard SSL: Header add Strict-Transport-Security “max-age=63072000; includeSubDomains”

Add the following under SSLEngine on:
SSLProtocol All -SSLv2 -SSLv3

Hi Michael

Sorry, my mobile about to die, battery 3%

Just a thought, can this not be added to siteworx skel

It’s only a quick thought and I could be wrong sorry

Many thanks

John

Hi John, afaik it’s only the non-SSL part you can edit there, but SSL stuff is generated and added another way (where/how?). Thus the event hook script for changing the cipher.

We won’t have too many accounts with SSL, but still I thought if somebody uses the event hook script, he/we might also want to add those other things for better security.

Hi Michael

Sorry, you could be correct on skel file.

I’ll try post a quick update as I think the same custom cipher hook may be able to be adapted, as it’s just search and insert, which the hook is activated after -add-SSL is triggered.

I hope it helps

Many thanks

John