Hi,
Is it possible to disable SSLv3 for Webmin (port 10000)?
I’m guessing perhaps a particular string here:
Webmin -> Webmin -> Webmin Configuration -> SSL Encryption -> Listed ciphers
Everything I have tried permits SSLv3.
Thanks in advance,
G
Set the cipher list to: EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5:
Hi and thanks much for your response.
Unfortunately, that doesn’t seem to fix the problem for me.
Perhaps I have a faulty test routine? I’ve been using ‘poodle.sh’ for testing and fixing various other servers with success:
sh poodle.sh www.mywebminhost.com 10000
www.mywebminhost.com:10000 - Vulnerable! SSLv3 connection established using SSLv3/AES256-SHA
#!/bin/bash
#
# Copyright (C) 2014 by Red Hat
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
host=${1:-127.0.0.1}
port=${2:-443}
timeout_bin=`which timeout 2>/dev/null`
echo -n "$host:$port - "
out="`echo 'Q' | ${timeout_bin:+$timeout_bin 5} openssl s_client -ssl3 -connect "${host}:${port}" 2>/dev/null`"
if [ $? -eq 124 ]; then
echo "error: Timeout connecting to host!"
exit 1
fi
if ! echo "$out" | grep -q 'Cipher is' ; then
echo 'Not vulnerable. Failed to establish SSL connection.'
exit 0
fi
proto=`echo "$out" | grep '^ *Protocol *:' | awk '{ print $3 }'`
cipher=`echo "$out" | grep '^ *Cipher *:' | awk '{ print $3 }'`
if [ "$cipher" = '0000' -o "$cipher" = '(NONE)' ]; then
echo 'Not vulnerable. Failed to establish SSLv3 connection.'
exit 0
else
echo "Vulnerable! SSLv3 connection established using $proto/$cipher"
exit 1
fi
Again, thanks for your time and trouble,
G