Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

cPanel / Comodo Service SSL Certificate Fails PCI

Discussion in 'Security' started by SJR, Aug 12, 2018 at 11:31 AM.

Tags:
  1. SJR

    SJR Member

    Joined:
    Jan 2, 2017
    Messages:
    12
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    USA
    cPanel Access Level:
    Website Owner
    My 'manage service ssl certificate' was recently replaced with the cPanel / Comodo free one year certificate.
    My PCI scan vendor just ran a scan on the server and all the services that the ssl certificate covers have failed the scan.
    Here is the results of the fail:

    "Details
    Category General
    CVE CVE-2004-2761 BID : 33065, 11849 Other references { cert : 836068cwe : 310 }
    CVSS base score 5.0
    Description SSL Certificate Signed Using Weak Hashing Algorithm (Known CA)
    Host xxx.xx.xxx.xxx
    Threat -
    Impact The remote service uses a known CA certificate in the SSL certificate chain that has been signed using a cryptographically weak hashing algorithm (e.g., MD2, MD4, MD5, or SHA1). These signature algorithms are known to be vulnerable to collision attacks. An attacker can exploit this to generate another certificate with the same digital signature, allowing the attacker to masquerade as the affected service.<br/><br/>Note that this plugin reports all SSL certificate chains signed with SHA-1 that expire after January 1, 2017 as vulnerable. This is in accordance with Google's gradual sunsetting of the SHA-1 cryptographic hash algorithm.
    Solution Contact the Certificate Authority to have the certificate reissued.
    PCI compliant No
    PCI details -
    Reason A known CA SSL certificate in the certificate chain has been signed using a weak hashing algorithm.
    PCI details medium
    Port 993 / tcp / imap
    Host name -
    Host OS -
    Result

    The following known CA certificates were part of the certificate
    chain sent by the remote host, but contain hashes that are considered
    to be weak.

    |-Subject : C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
    |-Signature Algorithm : SHA-1 With RSA Encryption
    |-Valid From : May 30 10:48:38 2000 GMT
    |-Valid To : May 30 10:48:38 2020 GMT"

    I guess I am surprised that a certificate that is this recent would not have addressed the vulnerability in the CA chain.
    Anyone else have this problem?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,212
    Likes Received:
    159
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice