The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_ssl

Discussion in 'General Discussion' started by shimmy, Dec 9, 2008.

  1. shimmy

    shimmy Active Member

    Joined:
    Nov 13, 2002
    Messages:
    25
    Likes Received:
    0
    Trophy Points:
    1
    Whn I log into WHM it says I have an unsecure version of mod_ssl , how do I update it?

    I already updated the newest version of cpanel
    I also clicked on Update Server Software and it updated that
    I also clicked on Update System Software and it updated that
     
  2. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I recommend running EasyApache. Go to WHM -> Software -> Apache Update, ensure "Previously Saved Config (** DEFAULT **)" and you can just click "Build Profile Now" to simply update your existing Apache configuration.

    Server and system updates do not affect Apache or anything running within Apache such as PHP, mod_ssl etc.
     
  3. docbreed

    docbreed Well-Known Member

    Joined:
    Jul 18, 2005
    Messages:
    57
    Likes Received:
    0
    Trophy Points:
    6
    I'm trying to fight this PCI Compliant test and keep failing.

    I did the apache update and following results yet.

    Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8b mod_bwlimited/1.4 mod_perl/2.0.4 Perl/v5.8.8

    WHM 11.23.2 cPanel 11.23.6-R27698
    CENTOS Enterprise 5.2 i686 on standard - WHM X v3.1.0


    So how do we fix this ssl issue?
     
    #3 docbreed, Dec 10, 2008
    Last edited: Dec 10, 2008
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Sounds like what has been described as "weak cyphers," an issue resolved in 11.24 which hasn't yet propagated to the RELEASE build.

    There's a whole thread on weak cyphers at: http://forums.cpanel.net/showthread.php?t=61698
     
  5. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    I tried updating Apache per this thread and mod_ssl is still insecure per WHM... any other suggestions?
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I take it you mean that HTTPS connections to WHM itself support weak cyphers? If so, what's your full cPanel version number?
     
  7. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    cPanel 11.24.4-E32443 - WHM 11.24.2 - X 3.9
    CENTOS 3.9 i686 on standard

    According to WHM:
    mod_ssl version = 2.2.11
    Latest Version = 2.8.27
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You can upgrade mod_ssl by recompiling Apache by going to WHM -> Software -> EasyApache.
     
  9. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    I did that earlier... no change.
     
  10. budway

    budway Well-Known Member

    Joined:
    Apr 16, 2003
    Messages:
    186
    Likes Received:
    0
    Trophy Points:
    16
    Is this fixed?

    Also what about FP extentions?
     
  11. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    Apparently not... I just set up a new server this AM and it's broken there also.

    Latest Version 2.8.27
    Installed Version 2.0.63

    That's after running yum upgrade. /scripts/upcp and recompiling Apache.
     
  12. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Can you tell me where you find this info in WHM?

    Sounds like 2.2.11 is the version of Apache you are running (not the version of mod_ssl) ?

    - Scott
     
  13. Nico

    Nico Well-Known Member

    Joined:
    Dec 5, 2001
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Edmond, OK
    The Apache version is 2.0.63.
    When you log into WHM click on "news" at the top and you will see the tables that have that info.
     
  14. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    In WHM, under Apache Configuration, there is a section that says:

    SSLCipherSuite
    This complex directive uses a colon-separated "cipher-spec" string consisting of OpenSSL cipher specifications to configure the cipher suite that the client negotiates in the SSL handshake phase.

    Default:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


    Mine is set to the default. And I am failing PCI Compliance. The error message from the friendly PCI folks is:

    Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

    Been reading a lot of forum messages on PCI compliance and my head hurts, as to what is needed to fix this issue. A shove in the right direction would be appreciated.

    EDIT: FYI, I am running cPanel 11.24.4-S33345 - WHM 11.24.2.

    - Scott
     
    #14 sneader, Jan 21, 2009
    Last edited: Jan 21, 2009

Share This Page