Poodle (What a stoopid name)

[QUOTE=mdeinhardt;26931]Seeting up new servers I had to dig up this information again and I also remembered the post John linked to: http://forums.interworx.com/threads/5116-Custom-SSL-CipherSuite

I’ve been following Michael’s knowlegdebase article from here https://licensecart.com/billing/plugin/support_manager/knowledgebase/view/41/a-grade-ssl-security/2/ (and always do get A+ on SSL Labs)
Does anyone know, how to extend that script (I am no programmer and would only f*** things up) and incorporate the changes described in Michael’s article into the event hook script?
I.e. add[/QUOTE]

Here is what I added to set the SSLv3 off:

After:

sed -i "s/SSLCipherSuite $oldcipher/SSLCipherSuite $newcipher/g" $file

Add:

sed -i "/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3" $file
sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"' $file

Okay, so I took it a step further and created a script to automate the whole process. You still need to enable the interworx plugin but everything else is done automatically:

To copy all of the code, double click and then copy it.


#!/bin/bash


# Custom Script
echo "Creating /usr/local/bin/custom_cipher_suite.sh file..."
touch /usr/local/bin/custom_cipher_suite.sh


echo "if [[ \"\$iw_working_domain\" == \"\" ]]; then" > /usr/local/bin/custom_cipher_suite.sh
echo "  exit 1" >> /usr/local/bin/custom_cipher_suite.sh
echo "fi" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "if [[ \"\$(id -u)\" != \"0\" ]]; then" >> /usr/local/bin/custom_cipher_suite.sh
echo "  self=\"\$( cd \"\$( dirname \"\${BASH_SOURCE[0]}\" )\" && pwd )/\$(basename \$0)\"" >> /usr/local/bin/custom_cipher_suite.sh
echo "  sudo -E bash -p \$self" >> /usr/local/bin/custom_cipher_suite.sh
echo "  exit 0" >> /usr/local/bin/custom_cipher_suite.sh
echo "fi" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "file=\"/etc/httpd/conf.d/vhost_\$iw_working_domain.conf\"" >> /usr/local/bin/custom_cipher_suite.sh
echo "" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLProtocol/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLHonorCipherOrder/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLCipherSuite/d\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLHonorCipherOrder On\" $file" >> /usr/local/bin/custom_cipher_suite.sh
echo "sed -i \"/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3\" $file" >> /usr/local/bin/custom_cipher_suite.sh
# echo "sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security \"max-age=63072000;\"' $file" >> /usr/local/bin/custom_cipher_suite.sh


echo "Changing permissions on /usr/local/bin/custom_cipher_suite.sh file..."
chmod 0770 /usr/local/bin/custom_cipher_suite.sh
chown iworx /usr/local/bin/custom_cipher_suite.sh


echo "[DONE]"
echo ""


# Hook File
echo "Creating /etc/iworx-hooks.conf file..."
touch /etc/iworx-hooks.conf


echo "Changing permissions on /etc/iworx-hooks.conf file..."
chown iworx /etc/iworx-hooks.conf


SEARCH_TEXT="/usr/local/bin/custom_cipher_suite.sh"


grep  $SEARCH_TEXT /etc/iworx-hooks.conf > /dev/null
if [ $? -eq 0 ] ;
    then
        #DO NOTHING
        echo "Modifications to /etc/sudoers already in place..."
    else


        echo "" >> /etc/iworx-hooks.conf
        echo "Ctrl_Siteworx_Ssl install /usr/local/bin/custom_cipher_suite.sh" >> /etc/iworx-hooks.conf
fi


echo "[DONE]"
echo ""


# Alter /etc/sudoers
echo "Editing /etc/sudoers file..."
SEARCH_TEXT="/usr/local/bin/custom_cipher_suite.sh"


grep  $SEARCH_TEXT /etc/sudoers > /dev/null
if [ $? -eq 0 ] ;
    then
        #DO NOTHING
        echo "Modifications to /etc/sudoers already in place..."
    else
        echo "" >> /etc/sudoers
        echo "%iworx ALL=(ALL) NOPASSWD:SETENV: /bin/bash -p /usr/local/bin/custom_cipher_suite.sh" >> /etc/sudoers
        echo "Defaults:%iworx !requiretty" >> /etc/sudoers
fi


echo "[DONE]"
echo ""


# Modify VHosts
mkdir /etc/httpd/conf.d/backups
cd /etc/httpd/conf.d/
files="vhost_*"
for f in $files
    do
        case "$f" in
v            hosts_000_defaults.conf)
                echo "Skipping $f file..."
            ;;
            *)
                echo "Backing up $f file..."
                
                NOW=$(date +"%m-%d-%Y-%H%M%S")
                cp -f $f backups/$f.$NOW
                
                sed -i "/SSLProtocol/d" $f
                sed -i "/SSLHonorCipherOrder/d" $f
                sed -i "/SSLCipherSuite/d" $f
                sed -i "/SSLEngine on/a\ \ SSLCipherSuite EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!SEED:!3DES:!CAMELLIA:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" $f
                sed -i "/SSLEngine on/a\ \ SSLHonorCipherOrder On" $f
                sed -i "/SSLEngine on/a\ \ SSLProtocol All -SSLv2 -SSLv3" $f
                # sed -i '/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"' $f
            ;;
        esac
    done
    
echo "[DONE]"
echo ""


echo "Restarting Apache..."
service httpd restart
echo "[DONE]"

Hi ctalavera

Many thanks for sharing, looks good. I’ll try it on our test server very soon, and if works as expected, will use it thanks.

Many thanks

John

It definitely works. I did all 8 of our Interworx servers earlier today. I was thinking about modifying it to update the main ssl.conf as well but I simply did those files manually.

I noticed now that on the sites we made the changes to the connections are now being redirected and forced into https://? What change is forcing this? I cannot for the life of me figure it out. Any ideas?

Normally the only thing that should be redirecting is some PHP code or an .htaccess file.

But my guess is it has to do something with this line in your script:
echo “sed -i ‘/^.*:443>/a\ \ Header add Strict-Transport-Security "max-age=63072000;"’ $file” >> /usr/local/bin/custom_cipher_suite.sh

I think this sets the entire site to only use https. From my original understanding it would just block sending anything over http, not actually redirect you to https, but reading this makes me think different:

Hi justin

Your correct, that’s the code that sends everything to https.

If you want it to use both, but on https you just set the line as standard for 443 ie if you view a vhost file, the header add strict-etc needs placing directly under the http 443 section.

This will allow normal 80 and 443 under strict transport.

To see what I mean, look at 3sh.co.uk, but this is in a test server which may be stopped or reloaded etc…

Many thanks

John

Okay, looks like removing that line and clearing the cache resolved that. Thanks. Although we will leave it on our sites, Didn’t want that on our hosting clients sites.