The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

I need to disable TLS v1.0

Discussion in 'Security' started by pski, Apr 21, 2015.

  1. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    Per Trustwave:
    TLS v1.0 violates PCI DSS and is
    considered an automatic failing condition


    I have the following line in SSL Cipher Suite:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
     
  2. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    I'm got got flagged for the same issue.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The following document explains how to adjust the cipher protocols for the different services:

    How to Adjust Cipher Protocols

    Could you let us know the full output from the PCI scan regarding this particular change? For instance, is it for all services, or just for Apache?

    Thank you.
     
  4. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Here is the error:

    TLSv1.0 Supported: "The server should be configured to disable the use of TLSv1.0 protocol in favor of protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding."

    Ports: 110, 143, 443, 465, 993, 995, 2078, 2083 and 2087.

    They add that technically, it can be disputed until June 30th, 2016 if there is a formal risk mitigation in place.

    So, it does appear that adjusting the cypher suite might not be enough, the protocol needs to be disabled. They do list the cypher suites that they flagged as TLSv1.0, so maybe, if those cypher suites are disabled, it will suffice.

    Oddly, as this is Trustwave, and Trustwave likes to think it sets the rules, they do not provide a CVE for this issue.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    We have an open support ticket from a customer asking the same question, so I'll try to relay the information our analysts provided as best as possible. It's important to note that some services will not function for certain users if you remove support for TLSv1.0. Here's a quote from an analyst on disabling it:

    The following response from one of our analysts is also helpful:

    Thank you.
     
  6. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Thanks for your input.
     
  7. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    One of my sites was just scanned by Trustwave. The report shows the following vulnerabilities:
    • Port 21 - SSLv3 Supported
    • Port 21 - TLSv1.0 Supported
    • Port 443 - TLSv1.0 Supported
    • Port 2083 - TLSv1.0 Supported
    • Port 2087 - TLSv1.0 Supported

    Is there an updated list of ciphers for Apache, FTP, cPanel, etc. to mitigate these vulnerabilities?
     
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I've moved your post to this thread. Please review the previous posts to this thread for more information.

    Thank you.
     
  9. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    ok, so I added the: TLS/SSL Cipher List= ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

    and to the TLS/SSL Protocols I have= SSLv23:!SSLv2:!SSLv3:!TLSv1

    Trustwave came back with the following. Image Attached
     

    Attached Files:

  10. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    using the following command, i am supposed to be able to see if the handshake occurs and the certificate is accepted.

    openssl s_client -connect google.com:443 -ssl2

    ssl2 failed as expected
    ssl handshake failure:s2_pkt.c:429


    openssl s_client -connect google.com:443 -ssl3
    handshake accepted
     
  11. jestep

    jestep Active Member

    Joined:
    Dec 18, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Dealing with this as well on a handful of servers. Here's my configuration:

    RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

    Problem is RC4-SHA is now a failing condition as well. I can't remove it, because it will essentially brick whatever service is trying to use SSL.

    Does anyone have a passing ssl cipher condition?
     
  12. jestep

    jestep Active Member

    Joined:
    Dec 18, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.

    My previous cipher configuration was:

    RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

    Removing RC4-SHA causes the server to throw an error:

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH

    What's the best way to go about removing RC4-SHA and not breaking ssl?
     
  13. jestep

    jestep Active Member

    Joined:
    Dec 18, 2006
    Messages:
    42
    Likes Received:
    0
    Trophy Points:
    6
    Also, if anyone bricks their cpanel/whm interface, the file you need to correct is:

    /var/cpanel/conf/cpsrvd/ssl_socket_args

    then run:

    /usr/local/cpanel/whostmgr/bin/whostmgr2 docpsrvdconfiguration
     
  14. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.
     
  15. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Do you know what port that was on? Normally, the report gives more information than that.
     
  16. Serra

    Serra Well-Known Member

    Joined:
    Oct 27, 2005
    Messages:
    213
    Likes Received:
    4
    Trophy Points:
    18
    Location:
    Florida
    Your server supports TLSv1.1 and TLSv1.2? If so, make sure there are some ciphers left on your list that work.
     
  17. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    Can you provide your cipher and protocol lists?
     
    #17 grayloon, Apr 30, 2015
    Last edited: Apr 30, 2015
  18. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    Port 465 was for mail. Even through I turned off the service the ports are still open.

    Cipher List: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP

    Protocols List: SSLv23:!SSLv2:!SSLv3
     
  19. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    98
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    I'm still getting errors. Did you use these values for Apache, FTP, and cPanel Web Services? Those are the ones I'm trying to addresses with TrustWave.
     
  20. pski

    pski Active Member

    Joined:
    Feb 5, 2015
    Messages:
    32
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Anchorage, Alaska
    cPanel Access Level:
    Root Administrator
    Cpanel Web Services, does you/your client NEED FTP service? if its just for a development stand point, it is easier to simple drop those ports and turn off that service within the sever. I did the same with email services, I use our other server for mail. I have the domain pointed there, and have email setup and then just point he A record to the website.
     
Loading...

Share This Page