Archive for the tag 'SSLv3'

A flaw named POODLE was found in the way SSL 3.0 handled padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode. This flaw allows a man-in-the-middle (MITM) attacker to decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections.

In other words, the vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol.

The risk from this vulnerability is that an attacker can exchange over an encrypted connection using that protocol and be intercepted and read.

As NO patch has been released yet by REDHAT current it is highly recommended to use only TLSv1.1 and TLSv1.2. Backwards compatibility can be done using TLSv1.0. It is NOT recommended to use SSLv2 and SSLv3 as they are considered insecure.

SSLv3 for all our Server Management and Monitoring customers have been all disabled.

If you are not a Server Management customer and would like to have this vulnerability patched/disabled please purchase a 1x Hour of Support plan.

Don’t hesitate to contact us for any questions you may have through our Contact Form page or LiveChat!.

How to force SSLv3 ssl_cipher option in DirectAdmin

Edit - /usr/local/directadmin/conf/directadmin.conf file

directadmin.conf option called:

ssl_cipher=

default value is internally ‘null’ (not used).
If anything is set for that variable (has to be added) then those values are passed to the ssl function:

SSL_set_cipher_list

so as to enforce which versions of ssl are allowed to connect.
The main reason to use this feature is to pass low level security scans which don’t like SSLv2.

A sample value for this option would be:

ssl_cipher=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Reference - http://www.directadmin.com/