The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to prevent SSLv2 from being supported on cpanel

Discussion in 'Security' started by canfone, Jun 11, 2007.

  1. canfone

    canfone Active Member

    Joined:
    Aug 15, 2003
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Montreal
    Hi There,

    I am working with a client to receive PCI Certification and the reporting tool that is being used finds issues with the support of SSLv2 on cpanel SSL ports:

    2083/General remote services (tcp)
    2087/General remote services (tcp)

    and others:

    SSL Server Supports Weak Encryption Vulnerability

    I have followed the reccomendations and added these lines to the httpd.conf which has taken care of SSL on 443:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

    Does anyone know how I can disable SSLv2 on cpanel ports?


    cPanel ticket: 195603 opened
     
    #1 canfone, Jun 11, 2007
    Last edited: Jun 11, 2007
  2. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    I am not sure how to do this with the new cpanel native ssl support. Until cpanel provides with you with a fix you can do the following.

    edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0 . This will make cpanel use stunnel again.

    The you should edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf and add

    options = NO_SSLv2 just below the Authentication stuff and restart cpanel.

    SSLv2 support for all cpanel ports will now be disabled. You can test this like :

    Code:
    $ openssl s_client -host serversipadress -port 2083 -verify -debug -ssl2
    verify depth is 0
    CONNECTED(00000003)
    write:errno=104
    
    SSLv3 and TLSv1 will still work, you can test it using :

    Code:
    $ openssl s_client -host serversipaddress -port 2083 -verify -debug -ssl3
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/emailAddress=ssl.net
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/emailAddress=ssl.net
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/emailAddress=ssl.net
       i:/C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server.mydomain.com/emailAddress=ssl.net
    .....
    .....
    .....
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 1065 bytes and written 312 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : AES256-SHA
        Session-ID: 4D82505199748AEF3D1F5447A87C19C15A8D1B71E41811EC88CB51377BBEAC66
        Session-ID-ctx:
        Master-Key: 7678931110FC624DFA6BE32D41B36940F90F0DB9CB0F757893196342D5BABEB11DD0758E8CE5EDE07A4ED809123A9415
        Key-Arg   : None
        Krb5 Principal: None
        Start Time: 1188882223
        Timeout   : 7200 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    
    Please let me know if you have any questions.
     
  3. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Hi,
    The solution did not work for me:
    [/usr/lib/courier-imap/etc]# openssl s_client -host localhost -port 2083 -verify -debug -ssl2
    verify depth is 0
    CONNECTED(00000003)
    depth=0 /C=US/2.5.4.17=91977
    <snip>
    </snip>
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFUTCCBDmgAwIBAgIRANDQ8hx8wAkj77o4zhjqF4MwDQYJKoZIhvcNAQEFBQAw
    <snip>
    </snip>
    Ciphers common between both SSL endpoints:
    RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
    EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
    RC4-64-MD5
    ---
    SSL handshake has read 1501 bytes and written 239 bytes
    ---
    New, SSLv2, Cipher is DES-CBC3-MD5
    Server public key is 1024 bit
    SSL-Session:
    Protocol : SSLv2
    Cipher : DES-CBC3-MD5
    Session-ID: B7290903DF00B9FF4188F644B0AEDCFD
    Session-ID-ctx:
    Master-Key: 9F6863869BD2A06EB864B14151844AA517282907FC717466
    Key-Arg : A9FE8723537063D9
    Krb5 Principal: None
    Start Time: 1215032268
    Timeout : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

    Is this still the standard workaround?
     
  4. shashank

    shashank Well-Known Member
    PartnerNOC

    Joined:
    Apr 12, 2003
    Messages:
    159
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I am not sure if there is an official fix out from cpanel yet on this but I have tested this even today and even had a friend test it and it works for us. It seems cpanel restart is needed in your case . Try running /usr/local/cpanel/startup after you have made the change.
     
  5. dredding

    dredding Registered
    PartnerNOC

    Joined:
    Jul 21, 2006
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I am also curious as to how this can be achieved using nativessl.
     
  6. Dathorn_ADT

    Dathorn_ADT Active Member

    Joined:
    Nov 16, 2002
    Messages:
    41
    Likes Received:
    1
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I actually just opened a ticket on this very issue yesterday and was told that this can only be changed using the old stunnel implementation. Not a great solution IMO. Perhaps some day they will take PCI compliance seriously.
     
  7. rpertiet

    rpertiet Member

    Joined:
    Apr 21, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    I just went through this on our site and am now PCI DSS compliant.

    *** For Apache:

    1) Add to HTTPD.CONF

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!kEDH

    Then run

    Code:
    /usr/local/apache/bin/apachectl configtest

    to ensure you did not break the configuration file. If it says OK then run

    Code:
    /usr/local/cpanel/bin/apache_conf_distiller --update --main

    to save the changes and finally restart Apache

    Verify that SSL v2 is disabled by running the following commands (change HOSTNAME.com to your server's correct hostname):

    Code:
    openssl s_client -ssl2 -connect hostname.com:443
    This should fail with an ssl handshake failure message


    Code:
    wget --spider --secure-protocol=SSLv2 https://hostname.com/
    This should fail with an Unable to establish SSL connection message


    *** To limit smtps to SSLv3 and TLS, add the following to /etc/exim.conf

    Code:
    tls_require_ciphers = SSLv3:TLS
    And then restart exim.

    You can then test with the following command:

    Code:
    openssl s_client -ssl2 -connect your.hostname.com:465
    Try that using each of the following: -ssl2, -ssl3 and -tls1. It should now only work when using -ssl3 or -tls1. It should fail when you use -ssl2; you'll see something like this at the end and it will drop your connection:


    Code:
    28120:error:1406D0B8:SSL routines:GET_SERVER_HELLO:no cipher list:s2_clnt.c:450:


    *** Securing your Courier IMAP:
    Locate and open imapd-ssl file (typically found in /usr/lib/courier-imap/etc/). Add the following directives and file locations:

    Code:
    TLS_PROTOCOL=SSL3

    *** Securing your POP3:
    Locate and open pop3d-ssl file (typically found in /usr/lib/courier-imap/etc/). Add the following directives:

    TLS_PROTOCOL=SSL3

    Then restart POP3 and IMAP and that's it for SSLv3.
     
  8. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    For HTTPS, POP3 and IMAP, I had no problems implementing the fixes. I'm double checking the cpanel configuration right now.
     
  9. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    Issue almost resolved:

    [/usr/lib/courier-imap/etc]# ps auxww | grep stunnel
    cpanel 31688 1.2 0.0 4064 1564 ? Ss 09:48 0:00 /usr/sbin/stunnel /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf.run

    I edited that file and now it seems to work:
    root@vs08 [/usr/lib/courier-imap/etc]# openssl s_client -host localhost -port 2083 -verify -debug -ssl2verify depth is 0
    CONNECTED(00000003)
    write:errno=104

    Double checking with ssl3:
    [/usr/lib/courier-imap/etc]# openssl s_client -host localhost -port 2083 -verify -debug -ssl3
    <snip>
    SSL handshake has read 1543 bytes and written 312 bytes
    ---
    New, TLSv1/SSLv3, Cipher is AES256-SHA
    Server public key is 1024 bit
    SSL-Session:
    Protocol : SSLv3

    port 2078:
    openssl s_client -host vs08 -port 2078 -verify -debug -ssl2
    <snip>
    Ciphers common between both SSL endpoints:
    RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
    EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
    RC4-64-MD5
    ---
    SSL handshake has read 1501 bytes and written 239 bytes
    ---
    New, SSLv2, Cipher is DES-CBC3-MD5
    Server public key is 1024 bit
    SSL-Session:
    Protocol : SSLv2

    Why would port 2078 be the exception?
     
    #9 tvcnet, Jul 3, 2008
    Last edited: Jul 3, 2008
  10. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    I edited both stunnel.conf files shown in this thread, but my cPanel still accepts SSL V2.

    What else can it be using?

    Chuck
     
  11. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    cPanel support fixed me. I missed editing the /var/cpanel/cpanel.config file.

    My bad :rolleyes:
     
  12. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    All the changes I made to the stunnel config have reverted back. I guess upcp "fixed" the changes. Now it supports SSL v2 again!!! :mad:

    Is there a more permanent fix for the stunnel config?

    Chuck
     
  13. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Nice buggy report

    http://bugzilla.cpanel.net/show_bug.cgi?id=6413 the cpanel bugzilla report

    http://forums.cpanel.net/showthread.php?t=87113 the linked forum post for the bug report

    stunnel is not the way to go. And I quote:

    I do not know of any links that explain how to switch to stunnel. I would recommend that you do not switch to stunnel as well.

    Sincerely,

    Steven King
    Systems Administrator
    Help Desk Specialist
    CompTIA A+ Certified Professional
    CompTIA Linux+ Certified Professional

    Liquid Web, Inc.
    support@liquidweb.com
    800.580.4985
    517.322.0434 Int.
     
  14. carock

    carock Well-Known Member

    Joined:
    Sep 25, 2002
    Messages:
    232
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    St. Charles, MO
    cPanel support says stunnel is fine, they just are not maintaining it or adding anything special for it like they can and do with their own SSL drive.

    With cPanel support help, I have a script that will automatically run after upcp to put the modification back for stunnel config.

    The file /scripts/postupcp when it exists will automatically be called by the nightly upcp script.

    My postupcp file has this code in it to re-apply the SSLv2 fix to the stunnel.conf.

    Code:
    #!/bin/sh
    
    # backup current stunnel config
    cp /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf-backup
    
    # read in config file and look for option already there
    for file in /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf
    do
            # check for config line already there, if so, skip modification
            grep "options = NO_SSLv2" $1/$file > /dev/null
            if [ $? -ne 0 ]
            then
                    echo "stunnel.conf NO_SSLv2 option not found"
                    # insert option line under authentication stuff
                    cat /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf | sed '/# Some debugging stuff/i options = NO_SSLv2' > /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf.1
                    mv /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf.1 /usr/local/cpanel/etc/stunnel/mycabundle/stunnel.conf
                    # restart cPanel
                    /etc/init.d/cpanel restart
            fi
    # if the line already exists in the stunnel config, the do nothing.
    done
    exit 0
    
    That has been working for several days now and allows my server to pass the SSLv2 security tests after making all the other modifications from the top of this thread.

    Thanks,
    Chuck
     
  15. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Fixing the real problem

    Adding the correct Net::SSLeay::ssl_version=3 to /usr/local/cpanel/chksrvd-ssl shouldn't be so hard? If this is the compiled binary to call chksrvd-ssl? They've had PLENTY of time to fix this issue!
     
  16. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
  17. vikins

    vikins Well-Known Member

    Joined:
    Oct 3, 2006
    Messages:
    91
    Likes Received:
    1
    Trophy Points:
    8
  18. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
  19. tcwebguy

    tcwebguy Active Member

    Joined:
    Sep 28, 2001
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    0
    Thank you!!

    Please treat this as a high priority security issue, as it is considered that by the PCI scans.
     
  20. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Hi cpanelkenneth,

    Do you guys have an ETA on this?
    Getting murdered with upset customers not passing PCI scans.

    Thanks ;)
     
Loading...

Share This Page