Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Dev Section Modification & Patches
  • Search

CVE-2016-2183: nginx Weak SSLCipherSuite Sweet32 Birthday

Section with modification and patches for Vesta
Post Reply
  • Print view
Advanced search
2 posts • Page 1 of 1
xlegends
Posts: 21
Joined: Sun Jul 30, 2017 3:26 am

CVE-2016-2183: nginx Weak SSLCipherSuite Sweet32 Birthday
  • Quote

Post by xlegends » Sun Jun 17, 2018 10:57 am

VestaCP: NGINX + PHP-FPM for Version 0.9.8-21 on 4/24/2018
Detected by Beyond Security, INC scanner

~ Out of 14023 infrastructure tests it found 0 High risks and only 2 medium risks, 1 for web server and 1 for imaps using those same ciphers
  • CVE-2016-2183 Medium Risk: nginx Weak SSLCipherSuite Sweet32 Birthday Attacks on 64-bit Block Ciphers in TLS and OpenVPN (DES-CBC3) and imaps 993
  • Weak Cipher DES-CBC3 found: (Cipher: EDH-RSA-DES-CBC3-SHA|SSLv3|Kx=DH|Au=RSA|Enc=3DES(168)|Mac=SHA1) (Cipher: DES-CBC3-SHA|SSLv3|Kx=RSA|Au=RSA|Enc=3DES(168)|Mac=SHA1) (Cipher: EDH-RSA-DES-CBC3-SHA|TLSv1|Kx=DH|Au=RSA|Enc=3DES(168)|Mac=SHA1)

Sweet32 Birthday Vulnerability Fix

Disable 2 Weak Ciphers:
EDH-RSA-DES-CBC3-SHA
DES-CBC3-SHA


===== Nginx =====
/etc/nginx/nginx.conf

Backup your nginx config, carefully add ! before those 2 ciphers or delete them
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
--- Reboot Nginx

===== Dovecot 2.1+ =======
/etc/dovecot/conf.d/10-ssl.conf

After fixing nginx's suite of ciphers the CVE scan still picked up the imaps bad ciphers.
Im not sure where Dovecot is pulling those ciphers from, prob the default OpenSSL suite but its not from nginx..

Disable them by adding them with !
ssl = yes
ssl_cert = </usr/local/vesta/ssl/certificate.crt
ssl_key = </usr/local/vesta/ssl/certificate.key
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = HIGH:!aNULL:!MD5:!DES-CBC3-SHA:!EDH-RSA-DES-CBC3
ssl_prefer_server_ciphers = yes
--- Reboot Dovecot

After you do this, the next weekly scan Vulnerability Score went up to 100 A+
visitors with IE 8 for XP will not be able to access SSL pages
IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure

Tools/commands:
# nmap --script ssl-enum-ciphers yourdomain.com
Beyond Security scanmyserver.com
Qualys SSL Labs ssllabs.com/ssltest
Top

xlegends
Posts: 21
Joined: Sun Jul 30, 2017 3:26 am

Depreciating TLS 1.0 and TLS 1.1 SSL Protocols
  • Quote

Post by xlegends » Thu Jan 02, 2020 3:33 am

TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible. Various Browser clients have provided approximate deadlines for disabling TLS 1.0 and TLS 1.1 protocol.

Microsoft IE and Edge
First half of 2020

Mozilla Firefox
March 2020

Safari/Webkit
March 2020

Google Chrome
January 2020


Check if you host TLS 1.0, TLS 1.1 and TLS 1.2.

Code: Select all

nmap --script ssl-enum-ciphers -p 443 domain.com

Backup nginx config file

Code: Select all

cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf-backup-before-tls

Exit nginx config file

Code: Select all

nano /etc/nginx/nginx.conf

Before

Code: Select all

 # SSL PCI Compliance
    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1.0 TLSv1.1 TLS1.2;
    ssl_prefer_server_ciphers on;

After

Code: Select all

 # SSL PCI Compliance
    ssl_session_cache   shared:SSL:10m;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

If you use protocoals SSL 2 or SSL 3 you can add those as well


Restart Nginx Web server then check available protocols again

Code: Select all

nmap --script ssl-enum-ciphers -p 443 domain.com

After changes, these browsers will lose access..

Code: Select all

Android 2.3.7   No SNI 2	Protocol mismatch (not simulated)
Android 4.0.4	Protocol mismatch (not simulated)
Android 4.1.1	Protocol mismatch (not simulated)
Android 4.2.2	Protocol mismatch (not simulated)
Android 4.3	Protocol mismatch (not simulated)
Baidu Jan 2015	Protocol mismatch (not simulated)
IE 6 / XP   No FS 1   No SNI 2	Protocol mismatch (not simulated)
IE 7 / Vista	Protocol mismatch (not simulated)
IE 8 / XP   No FS 1   No SNI 2	Protocol mismatch (not simulated)
IE 8-10 / Win 7  R	Protocol mismatch (not simulated)
IE 10 / Win Phone 8.0	Protocol mismatch (not simulated)
Java 6u45   No SNI 2	Protocol mismatch (not simulated)
Java 7u25	Protocol mismatch (not simulated)
OpenSSL 0.9.8y	Protocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8	Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4  R	Protocol mismatch (not simulated)
Top


Post Reply
  • Print view

2 posts • Page 1 of 1

Return to “Modification & Patches”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password