oh ok, well what exactly if the scann saying? Is there a port it is detecting an un secure connection on? Check if that port is open, and then either disable/drop it. given it is not your secure port.
i used yougetsignal.com/tools/open-ports/ to check ports.
i used yougetsignal.com/tools/open-ports/ to check ports.
Last edited by a moderator:
I disabled TLS1.0 and the Trustwave PCI scan passed. But now I'm running into a few other issues:
1. Most email clients cannot send email over SMTP port 465 because they do not renegotiate the connection to TLS1.1/1.2. This is happening with Outlook, Mac Mail, iOS, Android... Thunderbird is the only one that can send email.
2. If I login to webmail, I'm not able to use Horde (Roundcube and SquirrelMail work fine). It seems it is because of the same problem, Horde is unable to authenticate.
3. I use the cpanel XML-API to connect to the server over SSL to run some scripts. But now the script is not able to connect to the server with an SSL Connect error message, and the scripts don't execute.
1. Most email clients cannot send email over SMTP port 465 because they do not renegotiate the connection to TLS1.1/1.2. This is happening with Outlook, Mac Mail, iOS, Android... Thunderbird is the only one that can send email.
2. If I login to webmail, I'm not able to use Horde (Roundcube and SquirrelMail work fine). It seems it is because of the same problem, Horde is unable to authenticate.
3. I use the cpanel XML-API to connect to the server over SSL to run some scripts. But now the script is not able to connect to the server with an SSL Connect error message, and the scripts don't execute.
I am as new to this as many, i assume you purchased an wildcard SSL for your vps?, this would be for the primary domain on the server. and with the most recent changes with TLS 1.0 not being allowed, i imaging there will be some conflicts, i need to see what the latest developments are for either a 1.3 that is to fix the issue with 1.0, or a server fix that will allow 1.0 to be utilized on server. sorry i cant be more help.
What services will not function for what users? This is very important to know and to understand, before making this change.
Any additional information here would be MUCH appreciated.
- Scott
All services will remain running, but they won't be accessible by users running older software applications. The following quotes from an analyst explains this further:
Thank you.
grayloon
Well-Known Member
I'm still struggling to get my FTP server to pass the scan. I've tried several different cipher suites that are supposed to pass. Unfortunately, I don't think I can force Pure-FTPd to use TLSv1.1 or TLSv1.2. If TLS is enabled, then Pure-FTPd automatically accepts TLSv1.0 connections. Can anyone confirm?
BTW, I'm testing with: openssl s_client -connect localhost:21 -starttls ftp -tls1
BTW, I'm testing with: openssl s_client -connect localhost:21 -starttls ftp -tls1
I've seen one report where changing the "TLS Cipher Suite" in "WHM Home » Service Configuration » FTP Server Configuration" to "!SSLv3" only allows TLSv1.2.
Thank you.
This one should work:
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
Make sure you are using -SSLv2 -SSLv3 for protocols
EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
Make sure you are using -SSLv2 -SSLv3 for protocols
Disregard. This breaks email. Still trying to figure one out that doesn't break FTP, email, or web access.
Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.
Last edited:
It does appear that removing TLSv1 from dovecot breaks Outlook. It appears to work on newer devices and operating systems, but Outlook 2007 will not work. I'm still testing other versions. Technically we have until June 2016 to remove TLSv1, so we have time.
Edit. I'm seeing a lot of issues, but one that really throws a wrench into this is that the cPanel ports still accept TLSv1, so even if I were to magically fix mail and ftp, I'd still fail for cPanel ports.
For Apache:
SSL/TLS Protocols: all -SSLv3 -TLSv1
Code:
SSL Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Last edited:
Ok, still having many issues with mail. I'm seeing this TLSv1 : DHE-RSA-AES128-SHA, no idea where that cypher is being used, but it show up on several ports 110, 143, 465, 993, 995.
465 is also showing 15 TLSv1 cyphers.
Fixed cPanel ports here:
(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1
FTP Server Configuration
HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL
Testing.....
Dovecot
AES128+EECDH:AES128+EDH
This configuration does break Outlook 2007.
Exim
openssl_options +no_sslv2 +no_sslv3 +no_tlsv1
For Apache, I gave my cypher suite above, you can verify your cypher suite works with your install using this tool:
https://mozilla.github.io/server-si...0&openssl=0.9.8&hsts=yes&profile=intermediate
465 is also showing 15 TLSv1 cyphers.
Fixed cPanel ports here:
(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1
FTP Server Configuration
HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL
Testing.....
Dovecot
AES128+EECDH:AES128+EDH
This configuration does break Outlook 2007.
Exim
openssl_options +no_sslv2 +no_sslv3 +no_tlsv1
For Apache, I gave my cypher suite above, you can verify your cypher suite works with your install using this tool:
https://mozilla.github.io/server-si...0&openssl=0.9.8&hsts=yes&profile=intermediate
Last edited:
Using the above settings, I'm down to one final issue.
The scanner is showing DHE-RSA-AES128-SHA on ports 110,143,993 & 995. So I've missed something on Dovecot. The rest of the system was secure and TLSv1 was removed.
The downside is I had to stop testing because customers started to check mail after the long weekend and all of the XP and Outlook 2007 users were broken. Basically, the requirement to remove TLSv1 makes a large segment of customers unable to connect. Until large businesses such as Amazon start meeting this requirement or some media attention toward this problem is address, I doubt small businesses will be able to comply without alienating their customers.
The scanner is showing DHE-RSA-AES128-SHA on ports 110,143,993 & 995. So I've missed something on Dovecot. The rest of the system was secure and TLSv1 was removed.
The downside is I had to stop testing because customers started to check mail after the long weekend and all of the XP and Outlook 2007 users were broken. Basically, the requirement to remove TLSv1 makes a large segment of customers unable to connect. Until large businesses such as Amazon start meeting this requirement or some media attention toward this problem is address, I doubt small businesses will be able to comply without alienating their customers.
Due to the impossibility of meeting the PCI DSS 3.1 requirement of removing TLSv1, I've decided to go a different route until June of 2016, when everyone must meet the requirement. I'm going to submit a mitigation document to be excluded from the requirement. The document can be found here:
https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/
This will allow us to transition to the new requirement when larger businesses have already done so. Trying to meet the requirement at this time is impossible because the majority of customers simply can't access the server if we are meeting this requirement.
https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/
This will allow us to transition to the new requirement when larger businesses have already done so. Trying to meet the requirement at this time is impossible because the majority of customers simply can't access the server if we are meeting this requirement.
Yes, for Dovecot or Courier, both will break Outlook 2007 as it doesn't support TLSv1.1. There is no way we can support Outlook 2007 or Microsoft XP and be PCI-DSS 3.1 complaint! On the Apache side, we can't support anything lower than Windows 7, with the service pack and IE 11. I'm telling you this is ugly.
I haven't submitted it yet. Seems like the plan is fairly simple. I don't see too much resistance from them. They are not PCI-DSS 3.1 complaint either! I'll be submitting in the next day or so.
I had no users report issues with anything other than 2007. What operating system and version is your openssl. It has to support TLSv1.1 or TLSv1.2 or no one can connect.
CENTOS 6.6 x86_64, OpenSSL 1.0.1e-fips
If I add +no_tlsv1 to my exim configuration, none of our email clients are able to send through the server.
