Announcement

Collapse
No announcement yet.

Do We Need to Worry About PoodleBleed?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Re: Do We Need to Worry About PoodleBleed?

    After that modification, the only necessary command is: service https restart

    Or in Plesk under services, you can restart apache there too.
    Last edited by ILoveHostasaurus; 10-21-14, 10:54 AM.
    David Hubbard
    CIO
    Miva
    [email protected]
    http://www.miva.com

    Comment


      #17
      Re: Do We Need to Worry About PoodleBleed?

      Thank you. Should I remove ssl_disablev3.conf from the server?

      Comment


        #18
        Re: Do We Need to Worry About PoodleBleed?

        I'd probably remove it since its not-as-good choice of SSLCipherSuite may override.
        David Hubbard
        CIO
        Miva
        [email protected]
        http://www.miva.com

        Comment


          #19
          Re: Do We Need to Worry About PoodleBleed?

          I'm also running nginx. You previously mentioned:

          2) If you're using nginx, the script is modifying the template files in /usr/local/psa/admin/conf/templates/default/ which Parallels specifically warns should never be done because those files get replaced automatically by updates. The proper way to modify nginx on a Plesk server is to create a new /usr/local/psa/admin/conf/templates/custom directory and copy the templates needing modification into that directory, modify those copies, then run the httpdmng program to reconfigure. Not doing it that way will likely just result in sslv3 turning back on after the next update.
          Is this all I need for a custom nginx conf file in a custom folder?

          #Allow support only for TLS in Nginx with the following:
          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

          I see this in /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php.
          I don't use webmail. So perhaps it doesn't even matter.

          ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers HIGH:!aNULL:!MD5;
          ssl_prefer_server_ciphers on;
          Last edited by skepticwebguy; 10-21-14, 12:18 PM.

          Comment


            #20
            Re: Do We Need to Worry About PoodleBleed?

            Originally posted by skepticwebguy View Post
            I'm also running nginx. You previously mentioned:



            Is this all I need for a custom nginx conf file in a custom folder?

            #Allow support only for TLS in Nginx with the following:
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

            I see this in /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php.
            I don't use webmail. So perhaps it doesn't even matter.

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers HIGH:!aNULL:!MD5;
            ssl_prefer_server_ciphers on;
            You'd want to run:

            mkdir -p /usr/local/psa/admin/conf/templates/custom/domain/
            cp /usr/local/psa/admin/conf/templates/default/nginxWebmailPartial.php /usr/local/psa/admin/conf/templates/custom/
            cp /usr/local/psa/admin/conf/templates/default/domain/nginxDomainVirtualHost.php /usr/local/psa/admin/conf/templates/custom/domain/

            Then both /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php and /usr/local/psa/admin/conf/templates/custom/domain/nginxDomainVirtualHost.php need to be edited. These:

            Code:
                ssl_protocols               SSLv2 SSLv3 TLSv1;
                ssl_ciphers                 HIGH:!aNULL:!MD5;
            should be replaced with these two lines:

            Code:
             
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            
            ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
            Last edited by ILoveHostasaurus; 10-21-14, 01:12 PM.
            David Hubbard
            CIO
            Miva
            [email protected]
            http://www.miva.com

            Comment


              #21
              Re: Do We Need to Worry About PoodleBleed?

              Will Plesk automatically know to use the custom files for nginx after a server reboot? I assume I need to restart nginx as well. Correct?

              Comment


                #22
                Re: Do We Need to Worry About PoodleBleed?

                Originally posted by skepticwebguy View Post
                Will Plesk automatically know to use the custom files for nginx after a server reboot? I assume I need to restart nginx as well. Correct?
                After creating them, you need to run:

                /usr/local/psa/admin/bin/httpdmng --reconfigure-all

                It should restart nginx for you, but otherwise: /etc/rc.d/init.d/nginx restart
                David Hubbard
                CIO
                Miva
                [email protected]
                http://www.miva.com

                Comment


                  #23
                  Re: Do We Need to Worry About PoodleBleed?

                  Thank you, David. Your assistance is greatly appreciated.

                  Comment


                    #24
                    Re: Do We Need to Worry About PoodleBleed?

                    I have a client on a self-hosted linux environment and their store is currently not able to complete checkout do to this error when trying to connect to Authorize.net:

                    Unable to authorize payment: Unable to open URL 'https://secure.authorize.net/gateway/transact.dll': Error establishing SSL connection: wrong version number

                    Is this related to the SSL version on the server?

                    Comment


                      #25
                      Re: Do We Need to Worry About PoodleBleed?

                      Yes, they're running an old Miva Engine. They need to upgrade to 5.17 or higher. It's a free upgrade for everybody.
                      Thanks,

                      Rick Wilson
                      CEO
                      Miva, Inc.
                      [email protected]
                      https://www.miva.com

                      Comment


                        #26
                        Re: Do We Need to Worry About PoodleBleed?

                        Formula,

                        Here's a blog post with more detail: http://www.miva.com/blog/PayPal-Auth...-Vulnerability
                        Thanks,

                        Rick Wilson
                        CEO
                        Miva, Inc.
                        [email protected]
                        https://www.miva.com

                        Comment


                          #27
                          Re: Do We Need to Worry About PoodleBleed?

                          Following these instructions actually causes my store not to function at all in secure (https) mode. It seems my version of Plesk doesn't like having these changes in a "custom" folder.

                          Comment


                            #28
                            Re: Do We Need to Worry About PoodleBleed?

                            The nginx-related steps are specific to Plesk 11.5
                            David Hubbard
                            CIO
                            Miva
                            [email protected]
                            http://www.miva.com

                            Comment


                              #29
                              Re: Do We Need to Worry About PoodleBleed?

                              Originally posted by ILoveHostasaurus View Post
                              The nginx-related steps are specific to Plesk 11.5

                              I'm running Plesk 11.5.30 Update #48.

                              I looked closer at my code. The problem seems to have been that I was missing the TLSv1 in this line:

                              Code:
                               ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                              For some strange reason, I only had this:

                              Code:
                               ssl_protocols TLSv1.1 TLSv1.2;
                              Without the TLSv1 in there, my store would not function at all in secure mode. A secure page would not even load.

                              In addition to inserting that missing TLSv1, I deleted /usr/local/psa/admin/conf/templates/custom/nginxWebmailPartial.php since I don't use webmail. That may have also been part of the problem.
                              Last edited by skepticwebguy; 03-24-15, 08:47 PM.

                              Comment

                              Working...
                              X