I need to disable TLS v1.0

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
Per Trustwave:
TLS v1.0 violates PCI DSS and is
considered an automatic failing condition


I have the following line in SSL Cipher Suite:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

The following document explains how to adjust the cipher protocols for the different services:

How to Adjust Cipher Protocols

Could you let us know the full output from the PCI scan regarding this particular change? For instance, is it for all services, or just for Apache?

Thank you.
 

Serra

Well-Known Member
Oct 27, 2005
258
17
168
Florida
Here is the error:

TLSv1.0 Supported: "The server should be configured to disable the use of TLSv1.0 protocol in favor of protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding."

Ports: 110, 143, 443, 465, 993, 995, 2078, 2083 and 2087.

They add that technically, it can be disputed until June 30th, 2016 if there is a formal risk mitigation in place.

So, it does appear that adjusting the cypher suite might not be enough, the protocol needs to be disabled. They do list the cypher suites that they flagged as TLSv1.0, so maybe, if those cypher suites are disabled, it will suffice.

Oddly, as this is Trustwave, and Trustwave likes to think it sets the rules, they do not provide a CVE for this issue.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello,

We have an open support ticket from a customer asking the same question, so I'll try to relay the information our analysts provided as best as possible. It's important to note that some services will not function for certain users if you remove support for TLSv1.0. Here's a quote from an analyst on disabling it:

For the web services, this can be done through WHM: Home »Service Configuration »cPanel Web Services Configuration, under the "TLS/SSL Protocols" field by adding !TLSv1 to the list.
For Dovecot you can add !TLSv1 through WHM: Home »Service Configuration »Mailserver Configuration under the "SSL Protocols" field. I've tested this and it disabled TLSv1.0 for me, while leaving 1.1/1.2 enabled.
The following response from one of our analysts is also helpful:

Hello,

To my understanding, the reason TLS 1.0 is no longer considered secure by PCI is due to a policy regarding CVE scores. Use of RC4 recently had CVE scores increased to be at the same level as the BEAST vulnerability which affects all other TLS 1.0 ciphers. I do not know the exact policy of PCI regarding this, but this issue was brought to my attention upon finding the following discussion:

https://code.google.com/p/chromium/issues/detail?id=375342#c44

From what I gather from the article to which you linked, it appears that TLSv1.0 support is only permitted when it can be demonstrated that every connecting client will be secure against attacks like BEAST, which have client-side mitigations in most (but not all) software.

I empathize with the customers of yours who continually call when their outdated devices and software stop working; perfectly serviceable programs should not stop working for no good reason; it should not be required to keep buying new devices and major software releases in order to continue to access services over the public Internet. However, the fact remains that such devices and software should be able to maintain acceptable security levels through active updates released by the vendors who provide such devices and software, even if no other features are updated on stable releases. Thus, I would recommend that, if you wish to maintain PCI compliance, you explain to customers who contact you what the problem is (all cryptographic ciphers supported by their outdated devices and software are no longer considered secure by the credit card vendors), who to contact about the problem (the developer of the software/platform or the wireless carrier though which the device was obtained), and what to request (that they provide support for TLS 1.1 and/or 1.2 for the device or software). Security is a process, and this means that an unchanging software base cannot remain secure without updates to keep it secure.

The alternative seems to be to forgo the approval of the PCI DSS. You can also explain the consequences of this to those who contact you.

Apologies that there is not more which we can do for you. I hope that you can negotiate a grace period with your compliance vendor. If you have any further questions or concerns, please feel free to contact us again.
Thank you.
 

grayloon

Well-Known Member
Oct 31, 2007
117
4
68
Evansville, IN
cPanel Access Level
Root Administrator
Twitter
One of my sites was just scanned by Trustwave. The report shows the following vulnerabilities:
  • Port 21 - SSLv3 Supported
  • Port 21 - TLSv1.0 Supported
  • Port 443 - TLSv1.0 Supported
  • Port 2083 - TLSv1.0 Supported
  • Port 2087 - TLSv1.0 Supported

Is there an updated list of ciphers for Apache, FTP, cPanel, etc. to mitigate these vulnerabilities?
 

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
using the following command, i am supposed to be able to see if the handshake occurs and the certificate is accepted.

openssl s_client -connect google.com:443 -ssl2

ssl2 failed as expected
ssl handshake failure:s2_pkt.c:429


openssl s_client -connect google.com:443 -ssl3
handshake accepted
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
Dealing with this as well on a handful of servers. Here's my configuration:

RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

Problem is RC4-SHA is now a failing condition as well. I can't remove it, because it will essentially brick whatever service is trying to use SSL.

Does anyone have a passing ssl cipher condition?
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.

My previous cipher configuration was:

RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM

Removing RC4-SHA causes the server to throw an error:

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

What's the best way to go about removing RC4-SHA and not breaking ssl?
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
Also, if anyone bricks their cpanel/whm interface, the file you need to correct is:

/var/cpanel/conf/cpsrvd/ssl_socket_args

then run:

/usr/local/cpanel/whostmgr/bin/whostmgr2 docpsrvdconfiguration
 

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.
 

Serra

Well-Known Member
Oct 27, 2005
258
17
168
Florida
There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0.

What's the best way to go about removing RC4-SHA and not breaking ssl?
Your server supports TLSv1.1 and TLSv1.2? If so, make sure there are some ciphers left on your list that work.
 

grayloon

Well-Known Member
Oct 31, 2007
117
4
68
Evansville, IN
cPanel Access Level
Root Administrator
Twitter
I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.
Can you provide your cipher and protocol lists?
 
Last edited:

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
Cpanel Web Services, does you/your client NEED FTP service? if its just for a development stand point, it is easier to simple drop those ports and turn off that service within the sever. I did the same with email services, I use our other server for mail. I have the domain pointed there, and have email setup and then just point he A record to the website.