ssl v3 vulnerability

W

wanah

Well-Known Member
#1
#1
Hello,

I've read that the latest version of litespeed released today solves this without needing to change the cypher list.

Does litespeed force sslv3 to be disabled or does it disallow browsers compatible with a more recent version to fallback ?

Am I correct in understanding that in order to use this flaw needs to first probe the server enough to get enough to decode the contents and then manage to trick the users browser into requesting a fallback to sslv3 ?
 
M

MH-Stefan

Active Member
#2
#2
I've heard that an updated version of 4.2.17 was released to support SSLProtocol and SSLCipherSuite. I can confirm that this update worked for us and SSLv3 is now disabled.

This is what we've done so far:

Update LSWS:
Code: 
/usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18
Edit: LSWS 4.2.18 was released to patch this vulnerability.

Add this code to WHM » Service Configuration » Apache Configuration » Include Editor » Pre VirtualHost Include:
Code: 
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
Add the tweaked SSL cipher suite to WHM » Service Configuration » Apache Configuration » Global Configuration » SSL Cipher Suite. You can use the Intermediate cipher suite recommended by Mozilla.

Other services that can use SSLv3 are FTP, Exim, and Dovecot/Courier. The SSL cipher suite for these services can be changed in WHM:
WHM » FTP Server Configuration » TLS Cipher Suite
WHM » Mailserver Configuration » SSL Cipher List
WHM » Exim Configuration Manager » Advanced Editor » tls_require_ciphers

I hope that helps. Stay safe! :)
 
Last edited:
W

wanah

Well-Known Member
#3
#3
Hello,

Unless I'm mistaken, it's not the cypher that needs to be changed but the protocols that need to be disabled.

I've found this that explains for Apache, Dovecot, Nginx… For exim not 100% sure what the correct line is yet…
 
M

MH-Stefan

Active Member
#4
#4
The cipher suite negotiates which network security settings and protocols to use, so it indeed needs to be changed. Not just because of this vulnerability, but as a common security practice. The same cipher suite should work fine for Apache, FTP, Email, etc.
 
You must log in or register to reply here.
Top