PCI Compliance

**FourMat** · 01-21-2009 10:15 AM

I am trying to set up my server to pass the PCI compliance test administered by SecurityMetrics. They have identified several issues that I can easily correct like FP extensions (turned them off) and disable UserDir.

The big issue that I have is of Weak Ciphers. I have done a lot of research and have run across a lot of various people that have had issues with this. I think I know what to change and where to change it, but there are so many conflicting opinions and advice that I'm not sure what to change and where. Here are my specs:

cPanel 11.24.4-R33385 - WHM 11.24.2 - X 3.9
CENTOS 5.2 x86_64 on standard
OpenSSL 0.9.8b

Here is the output from the PCI scan:

Code:

Synopsis : The remote service supports the use of weak SSL ciphers.
Description : The remote host supports the use of SSL ciphers that offer
either weak encryption or no encryption at all. See also :
http://www.openssl.org/docs/apps/ciphers
<http://www.openssl.org/docs/apps/ciphers.html>  .html Solution: Reconfigure
the affected application if possible to avoid use of weak ciphers. Risk
Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Plugin output : Here is the list of weak SSL ciphers supported by the remote
server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5
Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA
Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA
Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40)
Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5
Kx=RSA(512) Au=RSA Enc=RC4(40)

Currently in my Apache Global Configuration I have this as the SSLCipherSuite:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

I found a recommendation at this link that recommends this:

Code:

Add these lines to your httpd.conf (you may to add them to each secure vhost as well):

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Because the it is identified as SSLCipherSuite in WHM, I'm not sure how to handle the SSLProtocol item.

My question is, would this be the proper syntax to add the above recommendation to the Apache Global Configuration window inside of whm:

Code:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-ALL +SSLv3 +TLSv1

If this isn't correct can someone recommend the proper syntax for this? Thanks!

**prodigious** · 01-21-2009 03:44 PM

Hi there,

I have the same issue and while there are other threads on this forum that talk about it, I haven't been able to come up with a solution.

This is what I have, from a suggestion by the people at Security Metrics (the 3rd party firm that is telling me to change the cipher settings):

HIGH:MEDIUM:!ADH

And apparently, it still isn't good enough.

If anyone has been down this road before and knows what needs to be in Apache 2.2.x for this to pass these @$)@(!$ PCI tests (can you tell I'm a bit frustrated? ha), please share!!

-Mike

**FourMat** · 01-21-2009 03:55 PM

OK, I have just switched out my settings and passed the PCI compliance test through Security Metrics:

In the Apache Global Settings for SSLCipherSuite:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:+SSLv3:+TLSv1:RC4+RSA:+HIGH:+MEDIUM

Enter this with no other changes, and you should be OK, or at least I was.

**bornonline** · 01-21-2009 04:04 PM

Well.. I need to try that then..

This is what I have in httpd.conf. This took me a while to get working too.
The SSLProtocol setting was never in my httpd.conf, but the SSLCipher setting was. I have had mixed results it seems to. At first just adding this was not enough. I also had to add it to ever virtual host that is using SSl. I have removed it from all the virtual host entries and it is only in the httpd.conf at the top.

I then run /usr/local/cpanel/bin/apache_conf_distiller --update
which works, but if I then run /usr/local/cpanel/bin/build_apache_conf all the settings that worked are gone. I cannot figure out why it will not keep the settings. So, now I just do a distiller update and not a conf rebuild.

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Use this to test..

http://www.foundstone.com/us/resourc.../ssldigger.htm

**rligg** · 02-18-2009 08:25 PM

Originally Posted by FourMat

OK, I have just switched out my settings and passed the PCI compliance test through Security Metrics:

In the Apache Global Settings for SSLCipherSuite:
ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:+SSLv3:+TLSv1:RC4+RSA:+HIGH:+MEDIUM

Enter this with no other changes, and you should be OK, or at least I was.

I get invalid cipher string when using this.

**SB-Nick** · 02-18-2009 09:22 PM

Hiya,

We have posted how to fix this on our blog site.
Kindly have a look at http://blog.serverbuddies.com/disabl...-apache-ports/

In addition, you will see how to fix cPanel SSLv2 ports PCI compliance issue as well.

**rligg** · 02-18-2009 11:32 PM

1.
SSLProtocol -ALL +SSLv3 +TLSv1
2.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

These go in the ssl.conf

I currently have:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Also what about all of the VirtualHost containers that allow SSL V2? And will cpanel hold this edit to the ssl.conf?

**rligg** · 02-19-2009 10:19 AM

I am still failing on port 443. Weak Ciphers.

**sneader** · 02-19-2009 10:35 AM

I broke down and opened a ticket with cPanel on this problem, and after several techs got involved, with no results, it was assigned to Jamyn. That guy rocks. He got me compliant quickly. I suggested that Jamyn document his steps for the cPanel community and he said "I'm working on a more permanent solution & documentation."

If you get stuck on this, I might suggest you open a ticket, and request Jamyn to work with you on it (I'm telling you, after nobody could get this working for me, he had it nailed in a heartbeat)

I just went back and looked at my ticket, and here is the stuff he did with regards to weak ciphers. I hope this helps....

Here's a quick rundown of what needs to be modified:

# General:
# - Disable FrontPage in WHM/EasyApache.
# WHM: Main >> Service Configuration >> Apache Configuration
# (or /etc/httpd/conf/includes/pre_virtualhost_global.conf)

# SSL Cipher Suite:
-ALL:!aNULL:!eNULL:!NULL:!ADH:!EXP:!kEDH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2

# TraceEnable Off
# ServerSignature: Off
# ServerTokens: ProductOnly
# FileETag: None

# WHM: Main >> Service Configuration >> Exim Configuration Editor
tls_require_ciphers = SSLv3:TLS

# /usr/lib/courier-imap/etc/pop3d-ssl
TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
TLS_PROTOCOL="SSL3"

# /usr/lib/courier-imap/etc/imapd-ssl
TLS_CIPHER_LIST="ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH"
TLS_PROTOCOL="SSL3"

# Test your apache configs:
/usr/local/apache/bin/apachectl configtest
# If it's fine, distill the config to make it permanent:
/usr/local/cpanel/bin/apache_conf_distiller --update --main

# /usr/local/cpanel/etc/stunnel/default/stunnel.conf
# Add this below the Authentication block:
options = NO_SSLv2

# Reload configurations
/usr/local/cpanel/startup

# You may get false positives about OpenSSL being out of date, specifically on
OS's that like to backport security fixes (Fedora/CentOS/RedHat); explaining
that to the vendor should be sufficient.

Let me know if you have any other questions; thanks! Have a good one.

- Scott

**rligg** · 02-19-2009 11:07 AM

Originally Posted by sneader

I broke down and opened a ticket with cPanel on this problem, and after several techs got involved, with no results, it was assigned to Jamyn. That guy rocks. He got me compliant quickly. I suggested that Jamyn document his steps for the cPanel community and he said "I'm working on a more permanent solution & documentation."

If you get stuck on this, I might suggest you open a ticket, and request Jamyn to work with you on it (I'm telling you, after nobody could get this working for me, he had it nailed in a heartbeat)

I just went back and looked at my ticket, and here is the stuff he did with regards to weak ciphers. I hope this helps....

- Scott

The Global Apache Config keeps telling me that

ALL:!aNULL:!eNULL:!NULL:!ADH:!EXP:!kEDH:RC4+RSA:+H IGH:+MEDIUM:-LOW:-SSLv2

Invalid cipher string so it uses the default of:

ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

**sneader** · 02-19-2009 11:09 AM

I logged into my WHM (11.24) > Apache Configuration > Global Configuration, and here is a direct cut and paste:

ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

I am not sure why this does not match Jamyn's documentation. But you might try this one.

- Scott

LinkBack

Thread Tools

PCI Compliance

PCI Compliance

PCI Compliance

PCI Compliance

pci compliance help