SSLv3 is a 15 year old protocol that isn’t used by many anymore, but is still functionally allowed by many webservers. If you don’t run a webserver, but have a website, it’s up to you to apply pressure to your webhost to make sure that SSLv3 is disabled on the system hosting your site. If you are a webserver maintainer, it’s up to you to disable SSLv3 on your server.
Update:
cPanel is providing new information for disabling SSLv3 on cPanel provided servers:
========================
For Apache:
1) Go to WHM => Service Configuration => Apache Configuration => Include Editor => Pre Main Include.
2) Select a version or All Versions.
3) If you are using CentOS/RHEL 6.x, add the following in the text box that appears:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
If you are using CentOS/RHEL 5.x, add the following in the text box that appears:
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1
4) Press the Update button and rebuild your Apache configuration.
This will disable SSLv3.0 on your server running Apache.
For LiteSpeed:
LiteSpeed has released version 4.2.18 to address this issue by using OpenSSL 1.0.1j and disabling SSLv3 by default. You can force an update by running this command:
# /usr/local/lsws/admin/misc/lsup.sh -f -v 4.2.18
====
For cpsrvd and cpdavd:
1. Create the following files if they do not already exist:
/var/cpanel/conf/cpsrvd/ssl_socket_args
/var/cpanel/conf/cpdavd/ssl_socket_args
2. Add the following to those files:
SSL_version=TLSv1
Please note that forcing TLSv1 support in this way will also disable support for the newer TLSv1.1 and TLSv1.2 protocols on CentOS/RHEL 6 and this is the only option that WHM 11.44 supports to directly disable SSLv3. CentOS/RHEL 5 does not support the newer TLS protocols so limiting it to TLSv1.0 does not reduce the existing TLS protocol support. More complex protocol strings will work for cpdavd for all builds. The cpsrvd process in WHM 11.46 also supports complex protocol strings such as “SSL_version=SSLv23:!SSLv2:!SSLv3” which will preserve support for TLSv1.1 and TLSv1.2 on CentOS/RHEL 6. Any 11.44 systems only need to enable TLSv1 support using this method until a fix has been released.
====
For Dovecot:
1) Make a copy of /var/cpanel/templates/dovecot2.2/main.default
2) Edit /var/cpanel/templates/dovecot2.2/main.default. Below:
# SSL ciphers to use
[%- IF ssl_cipher_list.defined %]
ssl_cipher_list = [% ssl_cipher_list %]
[%- ELSE %]
#ssl_cipher_list = ALL:!LOW:!SSLv2
[%- END %]
Add:
# SSL/TLS protocols to use
[%- IF ssl_protocols.defined %]
ssl_protocols = [% ssl_protocols %]
[%- ELSE %]
ssl_protocols = !SSLv2 !SSLv3
[%- END %]
3) Save the file and run ‘/usr/local/cpanel/scripts/builddovecotconf’ to rebuilt the Dovecot configuration file
4) Restart Dovecot by running ‘/usr/local/cpanel/scripts/restartsrv_dovecot’
====
For Courier:
There is currently no workaround at this time. We advise that you switch to Dovecot instead if you want to disable SSLv3.
====
For Exim:
1) Go to WHM => Service Configuration >> Exim Configuration Manager >> Advanced Editor
2) At the top is SECTION: Config. Goto the end of that section and click the button “Add additional configuration setting”. It will open two boxes above the button you clicked.
3) In the first blank box, put in:
openssl_options
In the blank box next to it, put in:
+no_sslv3
4) Goto the bottom of the page and hit the save button.
========================
That is all the information that cPanel provided.
If you aren’t seeing your changes reflected, restarting the services is a good start.
Note: You may encounter problems from users that are using browsers that only support SSLv3 (IE6, I’m looking at you). Unfortunately you have only one answer for those users: Upgrade to a secure software.
Good luck!
Further reading:
Hype for the vulnerability in SSLv3 was all bark and little bite.
![[et_pb_section fullwidth="on" specialty="off"][et_…](https://secure.gravatar.com/avatar/b3a851f9cb6d598b057039438755cd94?s=200&d=mm&r=g)
