shimmy

Active Member
Nov 13, 2002
34
0
156
Whn I log into WHM it says I have an unsecure version of mod_ssl , how do I update it?

I already updated the newest version of cpanel
I also clicked on Update Server Software and it updated that
I also clicked on Update System Software and it updated that
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
12
313
Houston, TX
cPanel Access Level
Root Administrator
Whn I log into WHM it says I have an unsecure version of mod_ssl , how do I update it?

I already updated the newest version of cpanel
I also clicked on Update Server Software and it updated that
I also clicked on Update System Software and it updated that
I recommend running EasyApache. Go to WHM -> Software -> Apache Update, ensure "Previously Saved Config (** DEFAULT **)" and you can just click "Build Profile Now" to simply update your existing Apache configuration.

Server and system updates do not affect Apache or anything running within Apache such as PHP, mod_ssl etc.
 

docbreed

Well-Known Member
Jul 18, 2005
57
0
156
I'm trying to fight this PCI Compliant test and keep failing.

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) [More]
[Hide]
I did the apache update and following results yet.

Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_bwlimited/1.4 mod_perl/2.0.4 Perl/v5.8.8

WHM 11.23.2 cPanel 11.23.6-R27698
CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0


So how do we fix this ssl issue?
 
Last edited:

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
12
313
Houston, TX
cPanel Access Level
Root Administrator
I'm trying to fight this PCI Compliant test and keep failing.



I did the apache update and following results yet.

Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_bwlimited/1.4 mod_perl/2.0.4 Perl/v5.8.8

WHM 11.23.2 cPanel 11.23.6-R27698
CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0


So how do we fix this ssl issue?
Sounds like what has been described as "weak cyphers," an issue resolved in 11.24 which hasn't yet propagated to the RELEASE build.

There's a whole thread on weak cyphers at: http://forums.cpanel.net/showthread.php?t=61698
 

Nico

Well-Known Member
Dec 5, 2001
233
0
316
Edmond, OK
I tried updating Apache per this thread and mod_ssl is still insecure per WHM... any other suggestions?
 

Nico

Well-Known Member
Dec 5, 2001
233
0
316
Edmond, OK
cPanel 11.24.4-E32443 - WHM 11.24.2 - X 3.9
CENTOS 3.9 i686 on standard

According to WHM:
mod_ssl version = 2.2.11
Latest Version = 2.8.27
 

Nico

Well-Known Member
Dec 5, 2001
233
0
316
Edmond, OK
Apparently not... I just set up a new server this AM and it's broken there also.

Latest Version 2.8.27
Installed Version 2.0.63

That's after running yum upgrade. /scripts/upcp and recompiling Apache.
 

Nico

Well-Known Member
Dec 5, 2001
233
0
316
Edmond, OK
Can you tell me where you find this info in WHM?

Sounds like 2.2.11 is the version of Apache you are running (not the version of mod_ssl) ?

- Scott
The Apache version is 2.0.63.
When you log into WHM click on "news" at the top and you will see the tables that have that info.
 

sneader

Well-Known Member
Aug 21, 2003
1,193
61
178
La Crosse, WI
cPanel Access Level
Root Administrator
In WHM, under Apache Configuration, there is a section that says:

SSLCipherSuite
This complex directive uses a colon-separated "cipher-spec" string consisting of OpenSSL cipher specifications to configure the cipher suite that the client negotiates in the SSL handshake phase.

Default:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


Mine is set to the default. And I am failing PCI Compliance. The error message from the friendly PCI folks is:

Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

Been reading a lot of forum messages on PCI compliance and my head hurts, as to what is needed to fix this issue. A shove in the right direction would be appreciated.

EDIT: FYI, I am running cPanel 11.24.4-S33345 - WHM 11.24.2.

- Scott
 
Last edited: