I need to disable TLS v1.0

Legin76

Well-Known Member
Dec 11, 2007
178
4
68
Also there are issues with with Apache 2.2, we really need to be running 2.4 now to support TLSv1.1.

You can give up PCI Compliance and assume the risk of using TLSv1 or get a new server. If you upgrade (buy a new server and migrate) that uses CENTOS 6.6 with CloudLinux, then the server would support users selecting a different version of PHP without risk to the server and clients who are using the most current version by using CageFS. The older versions would NOT effect users PCI Compliance, since it isn't running in their cage. It would only effect users who were actually using the old version.

That was the solution I picked. Obviously, this isn't urgent. You can upgrade between now and June of 2016 and still be compliant.
Upgrading to 2.4 shouldn't be a problem. My long term plan is to that with CloudLinux etc. My biggest issue will be changes of IP. Way to many of my customers control the dns from their registrar etc.

Thanks for your help.
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
I'm not sure of the risk of upgrading OPENSSL. I would put in a ticket and discuss it with cPanel before you decided. In my case, I looked at the upgrade and thought the risk was too high. Plus it isn't really a supported change, so who knows what could go wrong. A screwed up server is harder to migrate than one that is working.

Migration is a pain, but it solves the problem.
 

infiniservers

Registered
Feb 4, 2013
3
0
1
cPanel Access Level
Root Administrator
Has anyone tried this OpenSSL update and is it safe? http://www.gbservers.co.uk/centos-5-tls-1-2-support-cpanelwhm/
yeah i tried thia, seems to be working.
It was a headache at first but once I got all the bugs out it seems to be working. I'd suggest installing openssl to /opt/ as someone stated.

Still looking into completely disabling TLS 1.0, as cpanel says it's using 1.0, but other domain SSLs are 1.2

Only other issue is RC4 is still enabled too
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
You made these changes:

(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1
 

infiniservers

Registered
Feb 4, 2013
3
0
1
cPanel Access Level
Root Administrator
You made these changes:

(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1
no because that breaks whm

i fixed the rc4 issue, i used mozilla's recommendations.
as for cpanel i believe its the way the cert is generated because it's self signed.

the original one i had needs to be regenerated, when their site is back up i'll try again.
 
Last edited:

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
no because that breaks whm
This would only break WHM if your server doesn't support those changes. For a Apache 2.4 server that is running CENT OS 6.6, WHM works fine with those settings.

Also Trustwave has come up with a new wrinkle:
SSL Weak Encryption Algorithms: "Please note that this vulnerability CANNOT be disputed using a Risk Mitigation and Migration plan. This is a separate finding and must be treated as such."

In other words, sure you can put in a mitigation plan to still allow you to use TLSv1, but we aren't going to allow you to use any TLSv1 protocols. Thus making the mitigation plan idea useless, since the idea was that we couldn't stop using TLSv1 because too many can not connect to our server. Now, they have approved my continued use of TLSv1, but will not approve or allow me to mitigate the use of TLSv1 protocols.

The only hope is that they are only flagging 110, 143 and 995, so it is possible that a change to Dovecot that doesn't break Outlook 2007 might be a work around. I'm running a scan on that now.
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
The original one i had needs to be regenerated, when their site is back up i'll try again.
I also needed to regenerate all of my SSL, which were about a year old from RapidSSL. All of them were using SHA1. There was no option at Namecheap to use any other method. Namecheap is now using SHA2 for certificates, so once regenerated, they seemed to work fine.
 

jestep

Well-Known Member
Dec 18, 2006
52
1
158
Also Trustwave has come up with a new wrinkle:
SSL Weak Encryption Algorithms: "Please note that this vulnerability CANNOT be disputed using a Risk Mitigation and Migration plan. This is a separate finding and must be treated as such."

In other words, sure you can put in a mitigation plan to still allow you to use TLSv1, but we aren't going to allow you to use any TLSv1 protocols. Thus making the mitigation plan idea useless, since the idea was that we couldn't stop using TLSv1 because too many can not connect to our server. Now, they have approved my continued use of TLSv1, but will not approve or allow me to mitigate the use of TLSv1 protocols.

The only hope is that they are only flagging 110, 143 and 995, so it is possible that a change to Dovecot that doesn't break Outlook 2007 might be a work around. I'm running a scan on that now.
I had this as well, but the only cipher that was showing under the evidence tab was RC4. Are you seeing others listed?
 
Jul 11, 2012
12
1
3
cPanel Access Level
Root Administrator
Hello. I also had to pass a Trustwave PCI scan, and this is what I finally did, after hitting my head against the monitor.

1) Recompiled Apache in order to have the latest OpenSSL in place.
2) Changed the following settings in WHM:
FOR APACHE
(Service Configuration / Apache Configuration / Global Configuration):
- SSL Cipher Suite: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP
- SSL/TLS Protocols: leave the PCI recommended or default setting.

FOR DOVECOT:
(Service Configuration / Mailserver Configuration):
- SSL Cipher List: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-TLSv1

That finally worked for me.

Since this seems to be a very recurrent issue, let's have this post guys with the latest useful tips about Trustwave findings.

Regards
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
I was able to pass with a mitigation document for the email ports with TLSv1 on with these settings:

Dovecot
SSLCipherSuite:
HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5
Protocols: !SSLv2 !SSLv3 !TLSv1

Exim
tls_require_ciphers
ALL:!ADH:RC4+RSA:+HIGH:-MEDIUM:-LOW:-SSLv2:-EXP:!RC4

This configuration allows TLSv1, so it needs the mitigation documentation, but does not break Outlook 2007.
 
  • Like
Reactions: quizknows

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Thanks for the post. Have you tested any email clients against that dovecot configuration?
The "-TLSv1" will break ALL versions of Outlook. I tested with 2007 and 2013 and both were broken. The best we can hope for now is to remove the ciphers and allow Outlook to use TLSv1, then submit the mitigation document that allows us to continue using TLSv1. That results in a pass for Trustwave, for now.
 
  • Like
Reactions: quizknows

sneader

Well-Known Member
Aug 21, 2003
1,195
65
178
La Crosse, WI
cPanel Access Level
Root Administrator
FOR APACHE
(Service Configuration / Apache Configuration / Global Configuration):
- SSL Cipher Suite: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP
- SSL/TLS Protocols: leave the PCI recommended or default setting.
I'm attempting to implement this for just one customer, utilizing their .htaccess file, which should work in theory, but I can't seem to get it working.

In the customer's .htaccess file, I have:

Code:
SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP
However, when I run their site through the SSL checking at Qualys, it still shows the customer's site as using TLS v1.0. Any tips on this would be greatly appreciated.

Also, if anyone has successfully submitted a "TLS v1.0 Mitigation" document to Trustwave and is willing to share what you put in there, that would be super helpful.

- Scott
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Scott, Serra shared a mitigation plan earlier, hope this helps:

Risk Mitigation plan accepted by Trustwave.

Code:
May 27th, 2015
Risk Mitigation and Migration Plan for Payment Card Industry Data Security Standard (PCI DSS)
3.1 Requirements
c/o Trustwave
70 W. Madison St. Suite 1050
Chicago, IL 60602
Dear Sir or Madam:
Please accept this as the Risk Mitigation and Migration Plan for PCI DSS 3.1 for
<company name>.
A description of where and how we are currently using SSL and/or early versions of TLS, how
we intend to mitigate the risks with these technologies, and our migration plan are listed below.
1. Where are SSL/TLS 1.0 currently used in your environment?
We are currently accepting TLSv1 connections on port 80 and 443 to support older
browsers as many of our customers have not yet upgraded to PCI-DSS 3.1 compliant
browsers.
We are currently accepting TLSv1 connections on ports 110, 143, 993 and 995 for email
logins from our customers who are not yet able to comply with PCI-DSS 3.1.
2. How are you mitigating risks with SSL/TLS 1.0?
We are currently using TLSv1 to as a security control, but not to protect the
confidentiality of the communication. We do not allow the transmission of customer data
via email.
We currently support TLSv1.1 and TLS1.2 and only HIGH encryption for those
customers who are able to use these. Our default communication is set to use the best
possible ciphers and protocols and only allowing downgrades for those customers unable
to use the required level of communication.
3. How are you monitoring for new vulnerabilities associated with SSL/TLS 1.0?
We are continuing our security scanning and should any new vulnerabilities in TLSv1
appear, we will be able to quickly react to prevent any additional risk.
4. How are you ensuring that SSL/TLS 1.0 are not introduced into your cardholder data
environment? (Meaning, how can you verify that new or upgraded systems connected to
your cardholder data environment don’t contain SSL/TLS 1.0?)
TLSv1 is only currently in our website environment for the connivance of our customers.
No new devices or system will be introduced that support TLSv1 and we are able to
move to new TLS formats as soon as our customer base will support such a move.
5. When will your migration plan from SSL/TLS1.0 be completed?
We expect to be fully migrated by March 2016 or earlier if our customer base is able to
upgrade. Under current testing about half our customers are unable to communicate with
us if we do not support TLSv1.
So basically, I told the truth, I can't upgrade my servers, its not me, its my customers who can't support their needs.
 
  • Like
Reactions: aceadoni

TheyLive

Registered
Jul 15, 2015
1
0
1
USA
cPanel Access Level
Root Administrator
Serra, I was having the same issue you described running a CentOS 6.6, WHM 11.5 server. TrustWave scans passed, but unable to connect via Thunderbird 38.1 or Outlook 2013 on port 993. I ended up removing the !SSLv3 text from the SSL Cipher List under Service Configuration > Mailserver Configuration, while still using this format "!SSLv2 !SSLv3 !TLSv1" under SSL Protocols.

I can get successful handshakes on tlv1_1 and tlsv1_2, but not tlsv1, ssl3 or ssl2 using the following via SSH:

openssl s_client -connect myserver.com:993 -ssl3

Perhaps I'm mistaken, but removing SSLv3 from SSL Ciphers wasn't the right approach. Here is my current config:

Service Configuration > Mailserver Configuration

SSL Ciphers: HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!ADH:!EXPORT:!LOW

SSL Protocols: !SSLv2 !SSLv3 !TLSv1

Service Configuration > Exim > Advanced Editor

open_ssl_options = +no_sslv2 +no_sslv3 +no_tlsv1

Unsure yet if this will cause TrustWave to fail PCI Compliance. Waiting to see....
 

CCWHSupport

Registered
Jul 22, 2015
4
0
1
UK
cPanel Access Level
Root Administrator
Hello. I also had to pass a Trustwave PCI scan, and this is what I finally did, after hitting my head against the monitor.

1) Recompiled Apache in order to have the latest OpenSSL in place.
2) Changed the following settings in WHM:
FOR APACHE
(Service Configuration / Apache Configuration / Global Configuration):
- SSL Cipher Suite: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP
- SSL/TLS Protocols: leave the PCI recommended or default setting.

FOR DOVECOT:
(Service Configuration / Mailserver Configuration):
- SSL Cipher List: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:-TLSv1

That finally worked for me.

Since this seems to be a very recurrent issue, let's have this post guys with the latest useful tips about Trustwave findings.

Regards
We have just tried the Cipher Suite mentioned above (SSL Cipher Suite: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP)....unfortunately that breaks all but TLS 1.2 for us (when checking with SSL Labs) - See attached.
 

Attachments

bluerayconcepts

Active Member
Mar 24, 2013
32
0
56
Yuba City, CA
cPanel Access Level
Root Administrator
So this seems to have dropped off since August. Does anyone have any update on this? I know this is pretty much waiting for software vendors like MS and Apple to get on board just curious if anything has been heard.

I have apache and FTP compliant currently just waiting on email. Any change I currently make breaks Outlook, IOS, webmails etc.
 

Serra

Well-Known Member
Oct 27, 2005
267
20
168
Florida
Same here. Just waiting for the stuff to hit the fan and this become an issue for people. Email is still an issue for me, I've remained compliant by getting an exception. However, Trustwave now wants me to do the exception each month!

Right now, Outlook breaks with any compliant change I make. My Apache is also not compliant, turning off TLSv1 breaks a mess of browsers for SSL.

We just need to sit on this until April or May when it starts to become a media issue. I've only seen one article on this in a tech blog that actually talked about the problem so far.