Beast TLS Vulnerability

grayloon

Well-Known Member
Oct 31, 2007
117
4
68
Evansville, IN
cPanel Access Level
Root Administrator
Twitter
I did some searching, and I can't find any cPanel references for this vulnerability. Will the fix below work with cPanel?

Mitigating the BEAST attack on TLS

This is the vulnerability information from McAfee Secure:
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
A vulnerability exists in SSL 3.0 and TLS 1.0 that could allow information disclosure if an attacker intercepts encrypted traffic served from an affected system. TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected. This script tries to establish an SSL/TLS remote connection using an affected SSL version and cipher suite, and then solicits return data. If returned application data is not fragmented with an empty or one-byte record, it is likely vulnerable. OpenSSL uses empty fragments as a countermeasure unless the 'SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS' option is specified when OpenSSL is initialized. Microsoft implemented one-byte fragments as a countermeasure, and the setting can be controlled via the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendExtraRecord. Therefore, if multiple applications use the same SSL/TLS implementation, some may be vulnerable while others may not, depending on whether or not a countermeasure has been enabled. Note that this script detects the vulnerability in the SSLv3/TLSv1 protocol implemented in the server. It does not detect the BEAST attack where it exploits the vulnerability at HTTPS client-side (i.e., Internet browser). The detection at server-side does not necessarily means your server is vulnerable to the BEAST attack because the attack exploits the vulnerability at client-side, and both SSL/TLS clients and servers can independently employ the split record countermeasure.

Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported. Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
 

DomineauX

Well-Known Member
PartnerNOC
Apr 12, 2003
429
11
168
Houston, TX
cPanel Access Level
Root Administrator
I believe the following should work properly but have not had specific confirmation back from clients who had it flagged on their PCI scans:

In WHM >> Apache Configuration >> Global Configuration:
Change "SSL Cipher Suite" to the custom field and enter:
"ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH"

In WHM >> Apache Configuration >> Include Editor:
Add "SSLHonorCipherOrder On" to Pre VirtualHost Include - All Versions