1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI compliance re. SSL

Discussion in 'Security' started by jack01, Mar 12, 2008.

  1. jack01

    jack01 Member

    Joined:
    Jul 21, 2004
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    A customer has been having PCI compliance scans on a site I am hosting and it is failing with:

    Is it safe to assume this is a false positive, and if not then how can this be corrected or addressed via WHM/cPanel?

    WHM 11.15.0 cPanel 11.18.3-C21703
    REDHAT Enterprise 4 i686 on standard - WHM X v3.1.0
     
    #1 jack01, Mar 12, 2008
    Last edited: Mar 12, 2008
  2. jack01

    jack01 Member

    Joined:
    Jul 21, 2004
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Surely others here have had this issue too?
     
  3. koolcards

    koolcards Member

    Joined:
    Oct 8, 2003
    Messages:
    146
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Tampa, Fl
    Never seen it but it concerns the "SSLCipherSuite" directive and an older version of Apache2.0.
    http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslciphersuite

    My directive reads "SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL" but I've got Apache v2.2.8 and it will pass a compliance scan fine.

    What's the apache version you're running and perhaps upgrading to something more recent works.
     
  4. jack01

    jack01 Member

    Joined:
    Jul 21, 2004
    Messages:
    199
    Likes Received:
    0
    Trophy Points:
    16
    Apache version is 1.3.37 ... I don't want to custom install, I want to keep using EasyApache... any ideas?
     
  5. Belaird

    Belaird Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Apache 2.2.8

    PCI still flags this under APACHE 2.2.8, so I am interested to know if this is a false positive, or if we should change the directive for the host to the recommend directive.

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


    But I don't see SSLProtocol anywhere, so where is it hidden, or is defaulting to vhost value?
     
  6. EWD

    EWD Member

    Joined:
    Aug 19, 2003
    Messages:
    166
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Try this.

    Edit httpd.conf
    Find SSLLogLevel warn
    Right underneath it add: SSLProtocol all -SSLv2
    save it

    run: /usr/local/cpanel/bin/apache_conf_distiller --update
    The above will make sure easyapache does not remove the SSLProtocol all -SSLv2 part next time you upgrade(or so we hope lol)

    restart apache.

    That is it. SSLv2 is now disabled and should make PCI Compliance happy.
     
  7. Belaird

    Belaird Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    Where

    Sorry I do not see
    SSLLogLevel warn
    in httpd.conf
     
  8. robb3369

    robb3369 Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    This works me...

    1. Edit the /var/cpanel/templates/apache2/ssl_vhost.default file and change add the SSLProtocol directive and change SSLCipherSuite directive as follows:
    Code:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
        SSLCertificateFile [% vhost.sslcertificatefile %]
        SSLCertificateKeyFile [% vhost.sslcertificatekeyfile %]
    2. Recompile the http.conf file by running /usr/local/cpanel/bin/build_apache_conf

    3. Verify the /usr/local/apache/conf/httpd.conf now contains the correct SSLProtocol and SSLCipherSuite directives from the template file for each SSL enabled site:
    Code:
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!LOW:!SSLv2:!EXP:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/certs/HOSTNAME.com.crt
        SSLCertificateKeyFile /etc/ssl/private/HOSTNAME.com.key
    4. Restart apache by running /scripts/restartsrv httpd

    5. Verify that SSL v2 is disabled by running the following commands (change HOSTNAME.com to your server's correct hostname):
    Code:
    openssl s_client -ssl2 -connect HOSTNAME.com:443
    This should fail with an ssl handshake failure message

    Code:
    wget --spider --secure-protocol=SSLv2 https://HOSTNAME.com/
    This should fail with an Unable to establish SSL connection message
     
  9. Belaird

    Belaird Member

    Joined:
    Jun 24, 2004
    Messages:
    59
    Likes Received:
    0
    Trophy Points:
    6
    It works

    Thanks! That worked!
     
  10. Dlanod

    Dlanod New Member

    Joined:
    Apr 13, 2005
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Thanks. I've been trying to get this to work for some time.
     
  11. Tina

    Tina Member

    Joined:
    Jan 27, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Thank you. This worked for me.

    :)


    Tina
     
  12. hectorpn

    hectorpn New Member

    Joined:
    Sep 23, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    I know this thread is oooooold but I hope someone can still help.

    I did @robb3369 recommends and worked like a charm. However, it got overwritten by cPanel later on. Any ideas on how to make this persistent without breaking cPanel?
     
  13. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    The Apache configuration directive "SSLCipherSuite" should be set using WebHost Manager (WHM) via the following menu path: WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration
    Code:
    SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    Configuring the Apache directive "SSLProtocol" to use only SSLv3 and TLSv1 and not SSLv2 can be accomplished by defining the customization in an Apache configuration include: WHM: Main >> Service Configuration >> Apache Configuration >> Include Editor
    Code:
    SSLProtocol -ALL +SSLv3 +TLSv1
     
  14. hectorpn

    hectorpn New Member

    Joined:
    Sep 23, 2010
    Messages:
    19
    Likes Received:
    0
    Trophy Points:
    0
    Wow thanks for the quick response!

    Excuse my ignorance, where should I add the Protocol include? Pre-main, pre-virtualhost or Post-virtualhost?


    Thanks a lot!!
     
  15. cPanelDon

    cPanelDon cPanel Quality Assurance Analyst
    Staff Member

    Joined:
    Nov 5, 2008
    Messages:
    2,558
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Houston, Texas, U.S.A.
    I believe it should be safe to add the specific directive to either pre_main or pre_virtualhost (but not both); out of habit I often use pre_virtualhost.

    For reference, the same Apache configuration includes may be found in the following directory path (e.g., via root SSH access):
    Code:
    /usr/local/apache/conf/includes/
     
  16. thelunatic

    thelunatic New Member

    Joined:
    Dec 2, 2007
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Australia
    i having same problem is this all i have to make sslcipher sslv3
     

Share This Page