Skip to content

Entries tagged "httpd".

mod_substitute in rhel/centos 5

Apparently mod_substitute has finally been backported into rhel 5:
Transaction Check Error:
  file /usr/lib64/httpd/modules/mod_substitute.so from install of httpd-2.2.3-43.el5.centos.3.x86_64 conflicts with file from package mod_substitute-2.2.11-1.el5.ld.x86_64

No need for 3rd party repos for this module anymore. Hurray! :-)

The poodle bites the web

Heartbleed is not even cold in its grave and here comes another SSL vulnerability: Poodle.
You can read more about it here and there, tl;dr it exploits a weakness in SSLv3 to allow MITM attacks:
https://www.imperialviolet.org/2014/10/14/poodle.html (local copy)
http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html
http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability

To fix this in Apache HTTPD edit your ssl configuration file (eg /etc/httpd/conf.d/ssl.conf in CentOS) to have this SSLProtocol line:
SSLProtocol all -SSLv2 -SSLv3
If you're running CPanel there's more you need to do:
- go in "Home » Service Configuration » cPanel Web Services Configuration" and add ":-SSLv3"
- go in "Home »Service Configuration »Apache Configuration»Include Editor", add the following in "Pre Main Include":
SSLProtocol All -SSLv2 -SSLv3
- be warned than on older CPanel installations (CentOS 5), removing SSLv3 (:-SSLV3) from the cipher list might cause Apache not to start at all.


- If you are running Webmin/Virtualmin:
echo ssl_version=10 >> /etc/webmin/miniserv.conf
service webmin restart
- also be warned that these changes may affect some older browsers, such as IE6, test before you change.