[feedquote='Youtrack','http://youtrack.i-mscp.net/issue/IP-1288']
| Reporter |
RatS (RatS)
|
|---|---|
| Created | Feb 25, 2015 9:48:59 PM |
| Updated | Feb 26, 2015 12:32:50 AM |
| Resolved | Feb 26, 2015 12:32:50 AM |
| Type | Security |
| Subsystem | Config |
| Affected versions | Unknown |
While checking my SSL encrypted site with SSLlab's SSL scanner, I recognised, that the standard i-MSCP installation is vulnerable to POODLE attack. Following information should be added to all Apache SSL configurations
Code
- SSLEngine On SSLCompression Off SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
For nginx SSL config:
Code
- ssl on; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Backwards compatible with WinXP / IE6 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m;
For postfix config:
FTP is configurable in /etc/proftpd/tls.conf
[/feedquote]