mod_ssl
Whn I log into WHM it says I have an unsecure version of mod_ssl , how do I update it?
I already updated the newest version of cpanel
I also clicked on Update Server Software and it updated that
I also clicked on Update System Software and it updated that
I recommend running EasyApache. Go to WHM -> Software -> Apache Update, ensure "Previously Saved Config (** DEFAULT **)" and you can just click "Build Profile Now" to simply update your existing Apache configuration.Originally Posted by shimmy
Server and system updates do not affect Apache or anything running within Apache such as PHP, mod_ssl etc.
I'm trying to fight this PCI Compliant test and keep failing.
I did the apache update and following results yet.Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
[Hide]
Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_bwlimited/1.4 mod_perl/2.0.4 Perl/v5.8.8
WHM 11.23.2 cPanel 11.23.6-R27698
CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0
So how do we fix this ssl issue?
Last edited by docbreed; 12-10-2008 at 08:36 PM.
Sounds like what has been described as "weak cyphers," an issue resolved in 11.24 which hasn't yet propagated to the RELEASE build.
There's a whole thread on weak cyphers at: http://forums.cpanel.net/showthread.php?t=61698
I tried updating Apache per this thread and mod_ssl is still insecure per WHM... any other suggestions?
I take it you mean that HTTPS connections to WHM itself support weak cyphers? If so, what's your full cPanel version number?
cPanel 11.24.4-E32443 - WHM 11.24.2 - X 3.9
CENTOS 3.9 i686 on standard
According to WHM:
mod_ssl version = 2.2.11
Latest Version = 2.8.27
You can upgrade mod_ssl by recompiling Apache by going to WHM -> Software -> EasyApache.
I did that earlier... no change.
Is this fixed?
Also what about FP extentions?
Apparently not... I just set up a new server this AM and it's broken there also.
Latest Version 2.8.27
Installed Version 2.0.63
That's after running yum upgrade. /scripts/upcp and recompiling Apache.
Can you tell me where you find this info in WHM?
Sounds like 2.2.11 is the version of Apache you are running (not the version of mod_ssl) ?
- Scott
The Apache version is 2.0.63.
When you log into WHM click on "news" at the top and you will see the tables that have that info.
In WHM, under Apache Configuration, there is a section that says:
SSLCipherSuite
This complex directive uses a colon-separated "cipher-spec" string consisting of OpenSSL cipher specifications to configure the cipher suite that the client negotiates in the SSL handshake phase.
Default:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Mine is set to the default. And I am failing PCI Compliance. The error message from the friendly PCI folks is:
Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}Been reading a lot of forum messages on PCI compliance and my head hurts, as to what is needed to fix this issue. A shove in the right direction would be appreciated.
EDIT: FYI, I am running cPanel 11.24.4-S33345 - WHM 11.24.2.
- Scott
Last edited by sneader; 01-21-2009 at 02:03 PM.
LinkBack URL
About LinkBacks
Reply With Quote