Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: PCI compliance re. SSL

  1. #1
    Registered Member
    Join Date
    Jul 2004
    Posts
    195

    Default PCI compliance re. SSL

    A customer has been having PCI compliance scans on a site I am hosting and it is failing with:

    Summary: The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)
    Is it safe to assume this is a false positive, and if not then how can this be corrected or addressed via WHM/cPanel?

    WHM 11.15.0 cPanel 11.18.3-C21703
    REDHAT Enterprise 4 i686 on standard - WHM X v3.1.0
    Last edited by jack01; 03-12-2008 at 07:01 AM.

  2. #2
    Registered Member
    Join Date
    Jul 2004
    Posts
    195

    Default

    Surely others here have had this issue too?

  3. #3
    Registered Member koolcards's Avatar
    Join Date
    Oct 2003
    Location
    Tampa, Fl
    Posts
    146

    Default

    Never seen it but it concerns the "SSLCipherSuite" directive and an older version of Apache2.0.
    http://httpd.apache.org/docs/2.0/mod...sslciphersuite

    My directive reads "SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" but I've got Apache v2.2.8 and it will pass a compliance scan fine.

    What's the apache version you're running and perhaps upgrading to something more recent works.

  4. #4
    Registered Member
    Join Date
    Jul 2004
    Posts
    195

    Default

    Apache version is 1.3.37 ... I don't want to custom install, I want to keep using EasyApache... any ideas?

  5. #5
    Registered Member
    Join Date
    Jun 2004
    Posts
    58

    Default Apache 2.2.8

    PCI still flags this under APACHE 2.2.8, so I am interested to know if this is a false positive, or if we should change the directive for the host to the recommend directive.

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


    But I don't see SSLProtocol anywhere, so where is it hidden, or is defaulting to vhost value?

  6. #6
    EWD
    EWD is offline
    Registered Member cPanel Partner NOC Badge
    Join Date
    Aug 2003
    Location
    NY
    Posts
    167

    Default

    Try this.

    Edit httpd.conf
    Find SSLLogLevel warn
    Right underneath it add: SSLProtocol all -SSLv2
    save it

    run: /usr/local/cpanel/bin/apache_conf_distiller --update
    The above will make sure easyapache does not remove the SSLProtocol all -SSLv2 part next time you upgrade(or so we hope lol)

    restart apache.

    That is it. SSLv2 is now disabled and should make PCI Compliance happy.
    Emerson

  7. #7
    Registered Member
    Join Date
    Jun 2004
    Posts
    58

    Default Where

    Sorry I do not see
    SSLLogLevel warn
    in httpd.conf

  8. #8
    Registered Member
    Join Date
    Mar 2008
    Posts
    122
    cPanel/WHM Access Level

    Root Administrator

    Default This works me...

    1. Edit the /var/cpanel/templates/apache2/ssl_vhost.default file and change add the SSLProtocol directive and change SSLCipherSuite directive as follows:
    Code:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
        SSLCertificateFile [% vhost.sslcertificatefile %]
        SSLCertificateKeyFile [% vhost.sslcertificatekeyfile %]
    2. Recompile the http.conf file by running /usr/local/cpanel/bin/build_apache_conf

    3. Verify the /usr/local/apache/conf/httpd.conf now contains the correct SSLProtocol and SSLCipherSuite directives from the template file for each SSL enabled site:
    Code:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/certs/HOSTNAME.com.crt
        SSLCertificateKeyFile /etc/ssl/private/HOSTNAME.com.key
    4. Restart apache by running /scripts/restartsrv httpd

    5. Verify that SSL v2 is disabled by running the following commands (change HOSTNAME.com to your server's correct hostname):
    Code:
    openssl s_client -ssl2 -connect HOSTNAME.com:443
    This should fail with an ssl handshake failure message

    Code:
    wget --spider --secure-protocol=SSLv2 https://HOSTNAME.com/
    This should fail with an Unable to establish SSL connection message
    Rob

  9. #9
    Registered Member
    Join Date
    Jun 2004
    Posts
    58

    Default It works

    Thanks! That worked!

  10. #10
    Registered User
    Join Date
    Apr 2005
    Posts
    2

    Default

    Thanks. I've been trying to get this to work for some time.

  11. #11
    Registered Member
    Join Date
    Jan 2003
    Posts
    61

    Default

    Thank you. This worked for me.




    Tina

  12. #12
    Registered Member
    Join Date
    Sep 2010
    Posts
    19

    Default

    I know this thread is oooooold but I hope someone can still help.

    I did @robb3369 recommends and worked like a charm. However, it got overwritten by cPanel later on. Any ideas on how to make this persistent without breaking cPanel?

  13. #13
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,554
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by hectorpn View Post
    I know this thread is oooooold but I hope someone can still help.

    I did @robb3369 recommends and worked like a charm. However, it got overwritten by cPanel later on. Any ideas on how to make this persistent without breaking cPanel?
    The Apache configuration directive "SSLCipherSuite" should be set using WebHost Manager (WHM) via the following menu path: WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration
    Code:
    SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    Configuring the Apache directive "SSLProtocol" to use only SSLv3 and TLSv1 and not SSLv2 can be accomplished by defining the customization in an Apache configuration include: WHM: Main >> Service Configuration >> Apache Configuration >> Include Editor
    Code:
    SSLProtocol -ALL +SSLv3 +TLSv1

  14. #14
    Registered Member
    Join Date
    Sep 2010
    Posts
    19

    Default

    Wow thanks for the quick response!

    Excuse my ignorance, where should I add the Protocol include? Pre-main, pre-virtualhost or Post-virtualhost?


    Thanks a lot!!

  15. #15
    cPanel Quality Assurance Analyst cPanelDon's Avatar
    Join Date
    Nov 2008
    Location
    Houston, Texas, U.S.A.
    Posts
    2,554
    cPanel/WHM Access Level

    DataCenter Provider

    Default

    Quote Originally Posted by hectorpn View Post
    Wow thanks for the quick response!

    Excuse my ignorance, where should I add the Protocol include? Pre-main, pre-virtualhost or Post-virtualhost?


    Thanks a lot!!
    I believe it should be safe to add the specific directive to either pre_main or pre_virtualhost (but not both); out of habit I often use pre_virtualhost.

    For reference, the same Apache configuration includes may be found in the following directory path (e.g., via root SSH access):
    Code:
    /usr/local/apache/conf/includes/

Page 1 of 2 12 LastLast

Similar Threads

  1. PCI Compliance questsion. Hostname SSL required?
    By kingpin12 in forum cPanel & WHM Discussions
    Replies: 1
    Last Post: 02-13-2012, 02:36 PM
  2. Force SSL/HTTPS for Mailman (PCI Compliance feature) [Case 39553]
    By morissette in forum Feature Requests for cPanel & WHM
    Replies: 16
    Last Post: 10-05-2011, 08:37 AM
  3. PCI Compliance
    By richardsonchris in forum cPanel & WHM Discussions
    Replies: 1
    Last Post: 03-21-2011, 08:04 AM
  4. PCI Compliance
    By FourMat in forum cPanel & WHM Discussions
    Replies: 10
    Last Post: 02-19-2009, 10:09 AM
bargain