Share

Question

Hi,

Is it possible to disable SSLv3 for Webmin (port 10000)?

I’m guessing perhaps a particular string here:

Webmin -> Webmin -> Webmin Configuration -> SSL Encryption -> Listed ciphers

Everything I have tried permits SSLv3.

Thanks in advance,

G

Answer 1

kamaln7 October 18, 2014

Set the cipher list to: EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5:

screenshot

Reply Report

va October 18, 2014

Hi and thanks much for your response.

Unfortunately, that doesn’t seem to fix the problem for me.

Perhaps I have a faulty test routine? I’ve been using ‘poodle.sh’ for testing and fixing various other servers with success:

sh poodle.sh www.mywebminhost.com 10000
www.mywebminhost.com:10000 - Vulnerable!  SSLv3 connection established using SSLv3/AES256-SHA

#!/bin/bash
#
#  Copyright (C) 2014 by Red Hat
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 3 of the License, or
#  (at your option) any later version.

host=${1:-127.0.0.1}
port=${2:-443}
timeout_bin=`which timeout 2>/dev/null`

echo -n "$host:$port - "

out="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "${host}:${port}" 2>/dev/null`"

if [ $? -eq 124 ]; then
    echo "error: Timeout connecting to host!"
    exit 1
fi

if ! echo "$out" | grep -q 'Cipher is' ; then
    echo 'Not vulnerable.  Failed to establish SSL connection.'
    exit 0
fi

proto=`echo "$out" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$out" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [ "$cipher" = '0000'  -o  "$cipher" = '(NONE)' ]; then
    echo 'Not vulnerable.  Failed to establish SSLv3 connection.'
    exit 0
else
    echo "Vulnerable!  SSLv3 connection established using $proto/$cipher"
    exit 1
fi

Again, thanks for your time and trouble,

G

Reply Report

Answer 2

va October 18, 2014

Hi and thanks much for your response.

Unfortunately, that doesn’t seem to fix the problem for me.

Perhaps I have a faulty test routine? I’ve been using ‘poodle.sh’ for testing and fixing various other servers with success:

sh poodle.sh www.mywebminhost.com 10000
www.mywebminhost.com:10000 - Vulnerable!  SSLv3 connection established using SSLv3/AES256-SHA

#!/bin/bash
#
#  Copyright (C) 2014 by Red Hat
#
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 3 of the License, or
#  (at your option) any later version.

host=${1:-127.0.0.1}
port=${2:-443}
timeout_bin=`which timeout 2>/dev/null`

echo -n "$host:$port - "

out="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "${host}:${port}" 2>/dev/null`"

if [ $? -eq 124 ]; then
    echo "error: Timeout connecting to host!"
    exit 1
fi

if ! echo "$out" | grep -q 'Cipher is' ; then
    echo 'Not vulnerable.  Failed to establish SSL connection.'
    exit 0
fi

proto=`echo "$out" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$out" | grep '^ *Cipher *:' | awk '{ print $3 }'`

if [ "$cipher" = '0000'  -o  "$cipher" = '(NONE)' ]; then
    echo 'Not vulnerable.  Failed to establish SSLv3 connection.'
    exit 0
else
    echo "Vulnerable!  SSLv3 connection established using $proto/$cipher"
    exit 1
fi

Again, thanks for your time and trouble,

G

Reply Report

Answer 3

va October 20, 2014

I found the correct answer here:

http://www.virtualmin.com/node/34811

Reply Report

Question

Webmin and POODLE (SSLv3)

Leave a comment

Looking for something else?

Share

Share your Question

Question

Webmin and POODLE (SSLv3)

Leave a comment

Looking for something else?

Almost there!