#4487 Webmin - Disabling SSLv2

[DJEngineer]

Hello, I am using Webmin on port 12321 as is the default with a Turnkey Linux install (Debian). Anyway, it appears that SSLv2 is enabled with Webmin. I went to the config and disabled SSLv2, but then the site stopped working :( So I had to re-enable it. I have a wildcard digicert certificate that we use. Not sure if that helps. Anyway, I was just worried about the Poodle vulnerability and not being able to disable SSLv2 w/o losing the site.

[Wade Fitzpatrick]

Attached patch will disable SSLv2 and SSLv3 by forcing Net::SSLeay to use only TLS

[Jamie Cameron]

You can get the same effect by adding ssl_version=10 to /etc/webmin/miniserv.conf , and then running /etc/webmin/restart

[DJEngineer]

Thanks everyone! I will try this out!

[DJEngineer]

It worked perfectly! Thank you for your help!

[Wade Fitzpatrick]

@Jamie - that setting appears to be absent by default (meaning use SSL or TLS) so it would be good to incorporate the patch to force TLS only by default, then people can undo it by setting ssl_version in miniserv.conf if needed in their environment.

[Jamie Cameron]

I'm a bit hesitant to force use of TLS in Webmin by default, as this would break older clients that don't support it.

Do you expect that a patch to openssl will be released that will prevent the POODLE fallback attack?

[Wade Fitzpatrick]

https://www.openssl.org/news/secadv_20141015.txt

However, if a site is able to update Webmin but unable to OpenSSL due to lack of vendor support, they will remain vulnerable to POODLE without the patch and without knowing they must manually add ssl_version=10 to their config.

IMHO, it would be best to apply the patch and create a new release. The responsible thing to do would probably be to also create a CVE for it.

[Wade Fitzpatrick]

Hmmm, actually that's not the best fix. Our Nessus scan shows that with no settings, it supports SSLv2, SSLv3, TLSv1.0, TLSv1.1 and TLSv1.2 but setting ssl_version=10 forces it to only support TLSv1.0 and not the later versions. This is due to the way Net::SSLeay chooses a method of creating the SSL context - see http://wiki.openssl.org/index.php/SSL/TLS_Client#Context_Setup for more info. We really want to be calling CTX_new() and setting the SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 flags rather than calling CTX_tlsv1_new()

There are some scraps of code (and unused language settings) that disable SSLv2 so the best fix would be to

1. add a no_sslv3 flag
2. set both no_sslv2 and no_sslv3 to true by default
3. extend the UI to allow setting them if required

[Jamie Cameron]

What if instead you go to Webmin -> Webmin Configuration -> SSL Encryption, and choose "Only strong PCI-compliant ciphers" ?

[Jamie Cameron]

I just realized that won't help - your idea is better. See https://github.com/webmin/webmin/commit/fe43e60b3e13d1abefc390afad981d4f4254ae74 for a patch that adds this feature.

[Jamie Cameron]

Also, https://github.com/webmin/webmin/commit/b657b9b5ab6f848789d7c62449674280313e04ce

[Wade Fitzpatrick]

Jamie, are we going to see a new package any time soon that incorporates these fixes? We have a lot of servers using Webmin and management is pushing to disable SSL everywhere.

[Jamie Cameron]

A new 1.711 dev version is available from http://www.webmin.com/devel.html that includes the ability to disable SSLv3.

[Jonathan Daley]

Is there an analogous fix for usermin? I tried setting:
ssl_version, ssl_protocols and ssl_cipher_list in miniserv.conf, and it might be working, but various SSL testers aren't able to connect to it any more (and the ssl_redirect no longer works). If I connect directly with a web browser, it works fine...

[Jamie Cameron]

Yes, in the latest version of Usermin you can disable SSLv2 by adding the line no_ssl2=1 to /etc/usermin/miniserv.conf , then running /etc/usermin/restart