I need to disable TLS v1.0

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
oh ok, well what exactly if the scann saying? Is there a port it is detecting an un secure connection on? Check if that port is open, and then either disable/drop it. given it is not your secure port.

i used yougetsignal.com/tools/open-ports/ to check ports.
 
Last edited by a moderator:

Jay Asher

Member
Feb 1, 2015
5
0
1
cPanel Access Level
Root Administrator
I disabled TLS1.0 and the Trustwave PCI scan passed. But now I'm running into a few other issues:

1. Most email clients cannot send email over SMTP port 465 because they do not renegotiate the connection to TLS1.1/1.2. This is happening with Outlook, Mac Mail, iOS, Android... Thunderbird is the only one that can send email.

2. If I login to webmail, I'm not able to use Horde (Roundcube and SquirrelMail work fine). It seems it is because of the same problem, Horde is unable to authenticate.

3. I use the cpanel XML-API to connect to the server over SSL to run some scripts. But now the script is not able to connect to the server with an SSL Connect error message, and the scripts don't execute.
 

pski

Active Member
Feb 5, 2015
32
0
6
Anchorage, Alaska
cPanel Access Level
Root Administrator
I am as new to this as many, i assume you purchased an wildcard SSL for your vps?, this would be for the primary domain on the server. and with the most recent changes with TLS 1.0 not being allowed, i imaging there will be some conflicts, i need to see what the latest developments are for either a 1.3 that is to fix the issue with 1.0, or a server fix that will allow 1.0 to be utilized on server. sorry i cant be more help.
 

sneader

Well-Known Member
Aug 21, 2003
1,195
65
178
La Crosse, WI
cPanel Access Level
Root Administrator
It's important to note that some services will not function for certain users if you remove support for TLSv1.0.
What services will not function for what users? This is very important to know and to understand, before making this change.

Any additional information here would be MUCH appreciated.

- Scott
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
What services will not function for what users? This is very important to know and to understand, before making this change.
All services will remain running, but they won't be accessible by users running older software applications. The following quotes from an analyst explains this further:

We had a prior ticket last week about Trustwave asking for TLSv1 to be disabled. When it is disabled, older operating systems and clients quit working. This is beyond the browsers. Services such as IMAP and POP (Doeveot) and SMTP (exim) cease working in Windows 7 under Outlook 2007 and 2010. Those same services can quit working on Max OS X Mountain Lion and earlier. Basically, if you go down this path, it is likely email services will break for many users. TLS v1.0 is actually required for STARTTLS on some systems.

As such, please be aware that services will break and there is nothing cPanel can do to get those older operating systems and clients to work. It will be the responsibility of the operating system provider or application to fix those services or the clients to update.
I would highly discourage disabling TLSv1 and only using TLSv1.1 and TLSv1.2 for any services related to email. Web services will cause some browsers to be unable to work, but modern browsers do support TLSv1.1 and TLSv1.2. The same cannot be said for email clients and older operating systems.
Thank you.
 

grayloon

Well-Known Member
Oct 31, 2007
119
4
68
Evansville, IN
cPanel Access Level
Root Administrator
Twitter
I'm still struggling to get my FTP server to pass the scan. I've tried several different cipher suites that are supposed to pass. Unfortunately, I don't think I can force Pure-FTPd to use TLSv1.1 or TLSv1.2. If TLS is enabled, then Pure-FTPd automatically accepts TLSv1.0 connections. Can anyone confirm?

BTW, I'm testing with: openssl s_client -connect localhost:21 -starttls ftp -tls1
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,243
463
I'm still struggling to get my FTP server to pass the scan. I've tried several different cipher suites that are supposed to pass. Unfortunately, I don't think I can force Pure-FTPd to use TLSv1.1 or TLSv1.2. If TLS is enabled, then Pure-FTPd automatically accepts TLSv1.0 connections. Can anyone confirm?
I've seen one report where changing the "TLS Cipher Suite" in "WHM Home » Service Configuration » FTP Server Configuration" to "!SSLv3" only allows TLSv1.2.

Thank you.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
This one should work:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Make sure you are using -SSLv2 -SSLv3 for protocols
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
This one should work:

EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4

Make sure you are using -SSLv2 -SSLv3 for protocols
Disregard. This breaks email. Still trying to figure one out that doesn't break FTP, email, or web access.

Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.
 
Last edited:

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Disregard. This breaks email. Still trying to figure one out that doesn't break FTP, email, or web access.

Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.
It does appear that removing TLSv1 from dovecot breaks Outlook. It appears to work on newer devices and operating systems, but Outlook 2007 will not work. I'm still testing other versions. Technically we have until June 2016 to remove TLSv1, so we have time.

Edit. I'm seeing a lot of issues, but one that really throws a wrench into this is that the cPanel ports still accept TLSv1, so even if I were to magically fix mail and ftp, I'd still fail for cPanel ports.

For Apache:
SSL/TLS Protocols: all -SSLv3 -TLSv1
Code:
SSL Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Seems to work. However, the server has to support a protocol higher than TLSv1.
 
Last edited:

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Ok, still having many issues with mail. I'm seeing this TLSv1 : DHE-RSA-AES128-SHA, no idea where that cypher is being used, but it show up on several ports 110, 143, 465, 993, 995.

465 is also showing 15 TLSv1 cyphers.

Fixed cPanel ports here:

(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1

FTP Server Configuration
HIGH:!TLSv1:!SSLv2:!SSLv3:!ADH:!aNULL:!eNULL:!NULL

Testing.....
Dovecot
AES128+EECDH:AES128+EDH

This configuration does break Outlook 2007.

Exim

openssl_options +no_sslv2 +no_sslv3 +no_tlsv1

For Apache, I gave my cypher suite above, you can verify your cypher suite works with your install using this tool:

https://mozilla.github.io/server-si...0&openssl=0.9.8&hsts=yes&profile=intermediate
 
Last edited:

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Using the above settings, I'm down to one final issue.

The scanner is showing DHE-RSA-AES128-SHA on ports 110,143,993 & 995. So I've missed something on Dovecot. The rest of the system was secure and TLSv1 was removed.

The downside is I had to stop testing because customers started to check mail after the long weekend and all of the XP and Outlook 2007 users were broken. Basically, the requirement to remove TLSv1 makes a large segment of customers unable to connect. Until large businesses such as Amazon start meeting this requirement or some media attention toward this problem is address, I doubt small businesses will be able to comply without alienating their customers.
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Due to the impossibility of meeting the PCI DSS 3.1 requirement of removing TLSv1, I've decided to go a different route until June of 2016, when everyone must meet the requirement. I'm going to submit a mitigation document to be excluded from the requirement. The document can be found here:

https://www.trustwave.com/Resources/Library/Documents/PCI-3-1-Risk-Plan-Template/

This will allow us to transition to the new requirement when larger businesses have already done so. Trying to meet the requirement at this time is impossible because the majority of customers simply can't access the server if we are meeting this requirement.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.
Testing.....
Dovecot
AES128+EECDH:AES128+EDH

This configuration does break Outlook 2007.
Any suggestions for courier, this one still breaks it?
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Any suggestions for courier, this one still breaks it?
Yes, for Dovecot or Courier, both will break Outlook 2007 as it doesn't support TLSv1.1. There is no way we can support Outlook 2007 or Microsoft XP and be PCI-DSS 3.1 complaint! On the Apache side, we can't support anything lower than Windows 7, with the service pack and IE 11. I'm telling you this is ugly.

Also, did they accept your mitigation plan on this one?
I haven't submitted it yet. Seems like the plan is fairly simple. I don't see too much resistance from them. They are not PCI-DSS 3.1 complaint either! I'll be submitting in the next day or so.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
I'm trying with office 2013 and 365 on win 7_64 pro and ultimate, and it's breaking those as well. Looking through msdn to see if there is a fix or workaround for this. I think trustwave really jumped the gun on this one.
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
I'm trying with office 2013 and 365 on win 7_64 pro and ultimate, and it's breaking those as well. Looking through msdn to see if there is a fix or workaround for this. I think trustwave really jumped the gun on this one.
I had no users report issues with anything other than 2007. What operating system and version is your openssl. It has to support TLSv1.1 or TLSv1.2 or no one can connect.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
I had no users report issues with anything other than 2007. What operating system and version is your openssl. It has to support TLSv1.1 or TLSv1.2 or no one can connect.
CENTOS 6.6 x86_64, OpenSSL 1.0.1e-fips

If I add +no_tlsv1 to my exim configuration, none of our email clients are able to send through the server.