I need to disable TLS v1.0

sneader

Well-Known Member
Aug 21, 2003
1,195
64
178
La Crosse, WI
cPanel Access Level
Root Administrator
Here is an alternative approach, if your primary goal is just to get through the scan temporarily, while better solutions are developed:

1) Since customers that have SSL also must have a dedicated IP, you can use your firewall (such as CSF) to block all the ports they scan, except for port 443 (SSL). This way, you don't have to worry about what TLS version you run for email... because it appears you have no email server at all. In DNS, MX record is set to "mail.domain.tld" and that entry points to the main IP of the server, not the customer's IP. So, customers can still send/receive email... it is all done on the server's main IP, and not the customer's dedicated IP.

2) To get the website to pass, you will need one modification to Apache. Here are the steps:
  • Create this file:
    /usr/local/apache/conf/userdata/ssl/2_4/username
  • Put the following into that file:
    SSLCipherSuite ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:!TLSv1:-EXP
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1
  • Rebuild Apache with:
    /scripts/rebuildhttpdconf
  • Restart Apache with:
    /scripts/restartsrv_apache
3) After the scan is complete and passes, the customer can either be OK with losing some customers due to the above config blocking older browsers/computers... or they can have you reverse this procedure... until they fail again, in which case you can put it back for the next scan.

Hope this helps.

- Scott
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
Here is an alternative approach, if your primary goal is just to get through the scan temporarily, while better solutions are developed
That is a good work around. Right now, we only have to 'pass' once every three months to stay compliant, so that works well.

I very much hope a permanent solution will be forthcoming. I just don't know what that will be. There doesn't seem to be any movement on this from big companies.
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
Digging this back up. Anyone have a clue if Microsoft is going to do anything to make outlook compatible with TLS v1.1 or 1.2? I've found some manual instructions but not exactly convenient to do registry edits on a ton of computers not on a directory, nor is there any guarantee they don't get wiped out during an arbitrary office update.

The heartbleed deadline is going to roll around really quick and I haven't heard any news that microsoft is going to do anything with outlook.
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
There has been zero movement on this since we started this thread about the issue. I suspect that Microsoft will have to come up with a solution OR the compliance date will need to be moved. I've always felt that as the deadline approaches, that some heat will be generated on this issue. Until then, we just sit and wonder what will happen because this is all clearly outside of our control.

I've been reading anything dealing with the subject and I did see a blog about the issue that sort of rehashed what we've been discussing, but it was burred on a tech blog and never got front page status.
 

aceadoni

Member
Jun 24, 2004
14
0
226
Hamden,CT
cPanel Access Level
Root Administrator
Security Metrics Pass
Qualsys SSL Labs A+ with Robust Forward Secrecy
Beast, Poodle (SSLv3/TLS), Crime, and Heartbleed mitigated server side

Cpanel Web Services

SSL Cipher List
ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP:-RC4:-CBC​

TLS/SSL Protocols
!SSLv2:!SSLv3:!TLSv1​

Apache

SSL Cipher Suite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK​

SSL/TLS Protocols
ALL -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2​
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
TLS/SSL Protocols
!SSLv2:!SSLv3:!TLSv1​
That was really the first configuration we tested. Works perfect, passes all of the Trustwave tests and gets an A+ for Qualsys SSL Labs. Of course the down side is that no one with Outlook will be able to connect to the server. A large number of older android customers will not be able to use SSL, but beyond those two issues, it is perfect.
 

aceadoni

Member
Jun 24, 2004
14
0
226
Hamden,CT
cPanel Access Level
Root Administrator
Yea that is the downside.
I had another one that was safer for legacy clients but once TLS 1.0 resulted in a PCI failure I had to scrap it.
Hope my suggestion works for anyone in the same boat. :)
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
Yea that is the downside.
I had another one that was safer for legacy clients but once TLS 1.0 resulted in a PCI failure I had to scrap it.
Hope my suggestion works for anyone in the same boat. :)
You should be able to get an automatic deferment on removing TLSv1 until June of 2016.
 

Valetia

Well-Known Member
Jun 20, 2002
216
10
168
cPanel Access Level
Root Administrator
Cpanel Web Services

SSL Cipher List
ALL:!ADH:+HIGH:-MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP:-RC4:-CBC
TLS/SSL Protocols
!SSLv2:!SSLv3:!TLSv1
This causes Firefox to show a "ssl_error_no_cypher_overlap" error and refuse to proceed, while other browsers seem fine with it. Any ideas?
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
They finally realized this was completely impossible and unrealistic. The date has been extended to June 2018.

pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_%28002%29.pdf
 
Last edited by a moderator:

Valetia

Well-Known Member
Jun 20, 2002
216
10
168
cPanel Access Level
Root Administrator
They finally realized this was completely impossible and unrealistic. The date has been extended to June 2018.

pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_%28002%29.pdf
Thanks for the update! What a relief.
 
Last edited by a moderator:

k0nsl

Member
Oct 3, 2012
7
0
1
cPanel Access Level
Root Administrator
Which version of FF shows:
Code:
ssl_error_no_cypher_overlap
?

It doesn't show this in FF 43.0.4 on Linux. It works fine on Chromium 48.0.2564.82 (built on Ubuntu 14.04) as well.

Best wishes,
-k0nsl

This causes Firefox to show a "ssl_error_no_cypher_overlap" error and refuse to proceed, while other browsers seem fine with it. Any ideas?
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
I got a warning from Trustwave today about ports 465, 2083 and 2087. Updated cipher requirements for exim to:

tls_require_ciphers HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!aDH:!DH:!RC4-MD5:!RC4-SHA

Updated cpanel to:
(Home >> Service Configuration >> cPanel Web Services Configuration)

TLS/SSL Cipher List: HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5
 

jestep

Well-Known Member
Dec 18, 2006
49
1
158
Looks like the Diffie Hellman - AECDH cipher suite is a failing condition now for TLS 1.1 and TLS 1.2. These are being used only by cpanel/whm services. Were these the same ones yours was failing on or is this a new change?

Failing conditions:
TLSv1_1 : AECDH-AES256-SHA
TLSv1_1 : AECDH-AES128-SHA
TLSv1_1 : AECDH-DES-CBC3-SHA
TLSv1_2 : AECDH-AES256-SHA
TLSv1_2 : AECDH-AES128-SHA
TLSv1_2 : AECDH-DES-CBC3-SHA
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
I don't have those active on my server, so I passed last month. I suspect we took those off a while back.
 

techguide

Active Member
Aug 29, 2012
29
4
53
cPanel Access Level
Reseller Owner
Hi, Serra, would you mind re-posting the current settings you are using for all the services, including EXIM, that won't break Outlook 2007, and older devices? Thanks much!
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
Hi, Serra, would you mind re-posting the current settings you are using for all the services, including EXIM, that won't break Outlook 2007, and older devices? Thanks much!
As of last month, tls_require_ciphers HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!aDH:!DH:!RC4-MD5:!RC4-SHA is no longer working.

I'm getting the warning: Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Currently failing with: tls_require_ciphers HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!aDH:!DH:!RC4-MD5:!RC4-SHA:!DSS:!3DES
 
Last edited:
  • Like
Reactions: DomineauX

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
I'm still getting errors, I'm seeing issues on ports: 110, 465, 993, 995 and 2083, 2087, 2096

I've tried for EXIM Ports:
tls_require_ciphers HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!aDH:!DH:!RC4-MD5:!RC4-SHA:!DSS:!DES:!3DES

Under cPanel Web Services Configuration:
HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!DSS:!DES:!3DES

I'm getting the error: Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Errors on:
TLSv1 : ECDHE-RSA-DES-CBC3-SHA
TLSv1 : EDH-RSA-DES-CBC3-SHA
TLSv1 : DES-CBC3-SHA
TLSv1_1 : ECDHE-RSA-DES-CBC3-SHA
TLSv1_1 : EDH-RSA-DES-CBC3-SHA
TLSv1_1 : DES-CBC3-SHA
TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
TLSv1_2 : EDH-RSA-DES-CBC3-SHA
TLSv1_2 : DES-CBC3-SHA

What I find odd is none of these are in HIGH! They have, from my understanding, been moved to MEDIUM.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,216
463
I'm still getting errors, I'm seeing issues on ports: 110, 465, 993, 995 and 2083, 2087, 2096
Hello,

Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look.

Thanks!
 

Serra

Well-Known Member
Oct 27, 2005
266
18
168
Florida
Setting for PCI Compliance 1/17:

EXIM:
tls_require_ciphers HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5:!aDH:!DH:!RC4-MD5:!RC4-SHA:!DSS:!DES:!3DES

cPanel:
(Home >> Service Configuration >> cPanel Web Services Configuration)
TLS/SSL Cipher List: HIGH:!aNULL:!eNULL:!PSK:!RC4:!MD5
TLS/SSL Protocols: SSLv23:!SSLv2:!SSLv3:!TLSv1

Dovecot:
SSLCipherSuite AES128+EECDH:AES128+EDH

FTP:
AES128+EECDH:AES128+EDH:!TLSv1:!TLSv1_1:!SSLv2:!SSLv3

SSH: add this to /etc/ssh/sshd_config. This removes Archfour issues
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc

Apache:
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLProtocol All -SSLv2 -SSLv3


With this configuration, TLSv1 is enabled, so a mitigation document will need to be on file.
The only issues with this configuration are ports with weak ciphers: 21,2083, 2087, 2096. These are outside of what we can configure, I guess cPanel is working to fix the problems. If these ports are closed, then the system can pass.