SSLProtocol all -SSLv2
In trying to make the server more secure for a Security Metrics certification, they are requesting (read:demanding) I disable SSLv2 protocols.
I edit the httpd.conf file and add:
SSLProtocol all -SSLv2
to the server section. It disables the protocol for sure, but I am then none of the existing SSL/TLS virtual servers work.
WHM and Cpanel encrypted access still works, though.
Does anyone know what I am doing wrong?
Have you enabled compliant modes in your CipherSuite?
We had the same issue while auditing our server through security metrics certification.
SSLProtocol all -SSLv2 worked for us without any issues.
Mitul
Sorry for digging an old thread but I am having the same problem.
Where exactly do you add SSLProtocol all -SSLv2 in httpd.conf?
Thanks
Emerson
Found it!
If anyone comes across this the code above should be added within the <IfModule mod_ssl.c> section of your httpd.conf
Make sure to restart apache.
Emerson
Ok we are back at this again.
Now with EA3 the code gets removed.
Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?
Thanks
Emerson
Same problem here, when using EA3 that code is missing.Originally Posted by EWD
Ok we are back at this again.
Now with EA3 the code gets removed.
Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?
Thanks
Go ahead and add it to
/usr/local/apache/conf/includes/pre_virtualhost_global.conf
instead
Hi,
I've tried adding:
SSLProtocol all -SSLv2
to the file you mentioned however it still shows as active v2, am I adding it correctly?
Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.
Looking at the httpd.conf i found the line to be
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?
:: Anand ::
ssh root@
who the hell is root ???
Cpanelappz Support Forums are up now. Register Today
http://forums.cpanelappz.com
WHM/cPanel API : http://whmapi.cpanelappz.com
Cpanel Login Script : www.cpanelappz.com/cpanel-login-script.htm
Exiscan+Clam+Exim Auto Installer : www.cpanelappz.com
The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.
I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.
I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.
Any other advise on how to get this resolved ?
:: Anand ::
ssh root@
who the hell is root ???
Cpanelappz Support Forums are up now. Register Today
http://forums.cpanelappz.com
WHM/cPanel API : http://whmapi.cpanelappz.com
Cpanel Login Script : www.cpanelappz.com/cpanel-login-script.htm
Exiscan+Clam+Exim Auto Installer : www.cpanelappz.com
I'm sure you already know about checking http://layer2.cpanel.net/ for the latest build numbers. Therefore, I recommend letting or technical analysts take a look at that for you.
I have the following in httpd.conf that fixed it for all ports except the cpanel ports:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
I tried all kinds of fixes but the issue with the cpanel ports existed. Then luckily found the instructions at http://blog.serverbuddies.com/tag/pc...vulnerability/ and it worked! Here's what they suggest on that site:
--------------------------
In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file. An example would be editing the following lines to something like:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.
To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:
edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0
This will make cPanel to use sTunnel.
edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf
and add:
options = NO_SSLv2
just below the "Authentication stuff" tab.
After you have done all this you will need to restart cPanel:
/etc/init.d/cpanel restart
Done!
How to quickly check this?
SSH to your server and type the following commands
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086
If everything is fine you should receive something like this,
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
CONNECTED(00000003)
write:errno=104
How do you prevent cpanel ports from supporting weak ciphers?
openssl s_client -host localhost -port 2087 -ssl3 -cipher EXP-RC2-CBC-MD5
<snip>
SSL handshake has read 6434 bytes and written 198 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EXP-RC2-CBC-MD5
Session-ID: 9A844341A2CC8EDEE56E2138571718FDB60258BB6D52D237C93E65AF600799B9
<snip>
Last edited by tvcnet; 10-15-2008 at 12:29 AM.
LinkBack URL
About LinkBacks
Reply With Quote