I need to disable TLS v1.0

[pski]

Per Trustwave:
TLS v1.0 violates PCI DSS and is
considered an automatic failing condition


I have the following line in SSL Cipher Suite:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH

 

[Serra]

I'm got got flagged for the same issue.

 

[cPanelMichael]

Hello,

The following document explains how to adjust the cipher protocols for the different services:

How to Adjust Cipher Protocols

Could you let us know the full output from the PCI scan regarding this particular change? For instance, is it for all services, or just for Apache?

Thank you.

 

[Serra]

Here is the error:

TLSv1.0 Supported: "The server should be configured to disable the use of TLSv1.0 protocol in favor of protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding."

Ports: 110, 143, 443, 465, 993, 995, 2078, 2083 and 2087.

They add that technically, it can be disputed until June 30th, 2016 if there is a formal risk mitigation in place.

So, it does appear that adjusting the cypher suite might not be enough, the protocol needs to be disabled. They do list the cypher suites that they flagged as TLSv1.0, so maybe, if those cypher suites are disabled, it will suffice.

Oddly, as this is Trustwave, and Trustwave likes to think it sets the rules, they do not provide a CVE for this issue.

 

[cPanelMichael]

Hello,

We have an open support ticket from a customer asking the same question, so I'll try to relay the information our analysts provided as best as possible. It's important to note that some services will not function for certain users if you remove support for TLSv1.0. Here's a quote from an analyst on disabling it:

For the web services, this can be done through WHM: Home »Service Configuration »cPanel Web Services Configuration, under the "TLS/SSL Protocols" field by adding !TLSv1 to the list.

For Dovecot you can add !TLSv1 through WHM: Home »Service Configuration »Mailserver Configuration under the "SSL Protocols" field. I've tested this and it disabled TLSv1.0 for me, while leaving 1.1/1.2 enabled.

The following response from one of our analysts is also helpful:

Hello,

To my understanding, the reason TLS 1.0 is no longer considered secure by PCI is due to a policy regarding CVE scores. Use of RC4 recently had CVE scores increased to be at the same level as the BEAST vulnerability which affects all other TLS 1.0 ciphers. I do not know the exact policy of PCI regarding this, but this issue was brought to my attention upon finding the following discussion:

https://code.google.com/p/chromium/issues/detail?id=375342#c44

From what I gather from the article to which you linked, it appears that TLSv1.0 support is only permitted when it can be demonstrated that every connecting client will be secure against attacks like BEAST, which have client-side mitigations in most (but not all) software.

I empathize with the customers of yours who continually call when their outdated devices and software stop working; perfectly serviceable programs should not stop working for no good reason; it should not be required to keep buying new devices and major software releases in order to continue to access services over the public Internet. However, the fact remains that such devices and software should be able to maintain acceptable security levels through active updates released by the vendors who provide such devices and software, even if no other features are updated on stable releases. Thus, I would recommend that, if you wish to maintain PCI compliance, you explain to customers who contact you what the problem is (all cryptographic ciphers supported by their outdated devices and software are no longer considered secure by the credit card vendors), who to contact about the problem (the developer of the software/platform or the wireless carrier though which the device was obtained), and what to request (that they provide support for TLS 1.1 and/or 1.2 for the device or software). Security is a process, and this means that an unchanging software base cannot remain secure without updates to keep it secure.

The alternative seems to be to forgo the approval of the PCI DSS. You can also explain the consequences of this to those who contact you.

Apologies that there is not more which we can do for you. I hope that you can negotiate a grace period with your compliance vendor. If you have any further questions or concerns, please feel free to contact us again.

Thank you.

 

[Serra]

It's important to note that some services will not function for certain users if you remove support for TLSv1.0.

Thanks for your input.

 

[grayloon]

One of my sites was just scanned by Trustwave. The report shows the following vulnerabilities:

• Port 21 - SSLv3 Supported
• Port 21 - TLSv1.0 Supported
• Port 443 - TLSv1.0 Supported
• Port 2083 - TLSv1.0 Supported
• Port 2087 - TLSv1.0 Supported

Is there an updated list of ciphers for Apache, FTP, cPanel, etc. to mitigate these vulnerabilities?

 

[cPanelMichael]

One of my sites was just scanned by Trustwave

I've moved your post to this thread. Please review the previous posts to this thread for more information.

Thank you.

 

[pski]

ok, so I added the: TLS/SSL Cipher List= ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

and to the TLS/SSL Protocols I have= SSLv23:!SSLv2:!SSLv3:!TLSv1

Trustwave came back with the following. Image Attached

 

[pski]

using the following command, i am supposed to be able to see if the handshake occurs and the certificate is accepted.

openssl s_client -connect google.com:443 -ssl2

ssl2 failed as expected
ssl handshake failure:s2_pkt.c:429


openssl s_client -connect google.com:443 -ssl3
handshake accepted

 

[jestep]

Dealing with this as well on a handful of servers. Here's my configuration:

RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

Problem is RC4-SHA is now a failing condition as well. I can't remove it, because it will essentially brick whatever service is trying to use SSL.

Does anyone have a passing ssl cipher condition?

 

[jestep]

There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.

My previous cipher configuration was:

RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

Removing RC4-SHA causes the server to throw an error:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What's the best way to go about removing RC4-SHA and not breaking ssl?

 

[jestep]

Also, if anyone bricks their cpanel/whm interface, the file you need to correct is:

/var/cpanel/conf/cpsrvd/ssl_socket_args

then run:

/usr/local/cpanel/whostmgr/bin/whostmgr2 docpsrvdconfiguration

 

[pski]

I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.

 

[Serra]

Trustwave came back with the following. Image Attached

Do you know what port that was on? Normally, the report gives more information than that.

 

[Serra]

There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.

What's the best way to go about removing RC4-SHA and not breaking ssl?

Your server supports TLSv1.1 and TLSv1.2? If so, make sure there are some ciphers left on your list that work.

 

[grayloon]

I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.

Can you provide your cipher and protocol lists?

 

[pski]

Port 465 was for mail. Even through I turned off the service the ports are still open.

Cipher List: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP

Protocols List: SSLv23:!SSLv2:!SSLv3

 

[grayloon]

Cipher List: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP
Protocols List: SSLv23:!SSLv2:!SSLv3

I'm still getting errors. Did you use these values for Apache, FTP, and cPanel Web Services? Those are the ones I'm trying to addresses with TrustWave.

 

[pski]

Cpanel Web Services, does you/your client NEED FTP service? if its just for a development stand point, it is easier to simple drop those ports and turn off that service within the sever. I did the same with email services, I use our other server for mail. I have the domain pointed there, and have email setup and then just point he A record to the website.