PCI compliance re. SSL

[jack01]

A customer has been having PCI compliance scans on a site I am hosting and it is failing with:

Summary: The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Is it safe to assume this is a false positive, and if not then how can this be corrected or addressed via WHM/cPanel?

WHM 11.15.0 cPanel 11.18.3-C21703
REDHAT Enterprise 4 i686 on standard - WHM X v3.1.0

[jack01]

Surely others here have had this issue too?

[koolcards]

Never seen it but it concerns the "SSLCipherSuite" directive and an older version of Apache2.0.
http://httpd.apache.org/docs/2.0/mod...sslciphersuite

My directive reads "SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" but I've got Apache v2.2.8 and it will pass a compliance scan fine.

What's the apache version you're running and perhaps upgrading to something more recent works.

[jack01]

Apache version is 1.3.37 ... I don't want to custom install, I want to keep using EasyApache... any ideas?

[Belaird]

PCI still flags this under APACHE 2.2.8, so I am interested to know if this is a false positive, or if we should change the directive for the host to the recommend directive.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


But I don't see SSLProtocol anywhere, so where is it hidden, or is defaulting to vhost value?

[EWD]

Try this.

Edit httpd.conf
Find SSLLogLevel warn
Right underneath it add: SSLProtocol all -SSLv2
save it

run: /usr/local/cpanel/bin/apache_conf_distiller --update
The above will make sure easyapache does not remove the SSLProtocol all -SSLv2 part next time you upgrade(or so we hope lol)

restart apache.

That is it. SSLv2 is now disabled and should make PCI Compliance happy.

[Belaird]

Sorry I do not see
SSLLogLevel warn
in httpd.conf

[robb3369]

1. Edit the /var/cpanel/templates/apache2/ssl_vhost.default file and change add the SSLProtocol directive and change SSLCipherSuite directive as follows:

Code:

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
    SSLCertificateFile [% vhost.sslcertificatefile %]
    SSLCertificateKeyFile [% vhost.sslcertificatekeyfile %]

2. Recompile the http.conf file by running /usr/local/cpanel/bin/build_apache_conf

3. Verify the /usr/local/apache/conf/httpd.conf now contains the correct SSLProtocol and SSLCipherSuite directives from the template file for each SSL enabled site:

Code:

    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
    SSLCertificateFile /etc/ssl/certs/HOSTNAME.com.crt
    SSLCertificateKeyFile /etc/ssl/private/HOSTNAME.com.key

4. Restart apache by running /scripts/restartsrv httpd

5. Verify that SSL v2 is disabled by running the following commands (change HOSTNAME.com to your server's correct hostname):

Code:

openssl s_client -ssl2 -connect HOSTNAME.com:443

This should fail with an ssl handshake failure message

Code:

wget --spider --secure-protocol=SSLv2 https://HOSTNAME.com/

This should fail with an Unable to establish SSL connection message

[Belaird]

Thanks! That worked!

[Dlanod]

Thanks. I've been trying to get this to work for some time.

[Tina]

Thank you. This worked for me.




Tina

[hectorpn]

I know this thread is oooooold but I hope someone can still help.

I did @robb3369 recommends and worked like a charm. However, it got overwritten by cPanel later on. Any ideas on how to make this persistent without breaking cPanel?

[cPanelDon]

I know this thread is oooooold but I hope someone can still help.

I did @robb3369 recommends and worked like a charm. However, it got overwritten by cPanel later on. Any ideas on how to make this persistent without breaking cPanel?

The Apache configuration directive "SSLCipherSuite" should be set using WebHost Manager (WHM) via the following menu path: WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration

Code:

SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Configuring the Apache directive "SSLProtocol" to use only SSLv3 and TLSv1 and not SSLv2 can be accomplished by defining the customization in an Apache configuration include: WHM: Main >> Service Configuration >> Apache Configuration >> Include Editor

Code:

SSLProtocol -ALL +SSLv3 +TLSv1

[hectorpn]

Wow thanks for the quick response!

Excuse my ignorance, where should I add the Protocol include? Pre-main, pre-virtualhost or Post-virtualhost?


Thanks a lot!!

[cPanelDon]

Wow thanks for the quick response!

Excuse my ignorance, where should I add the Protocol include? Pre-main, pre-virtualhost or Post-virtualhost?


Thanks a lot!!

I believe it should be safe to add the specific directive to either pre_main or pre_virtualhost (but not both); out of habit I often use pre_virtualhost.

For reference, the same Apache configuration includes may be found in the following directory path (e.g., via root SSH access):

Code:

/usr/local/apache/conf/includes/