PCI Compliance - TLS 1.0 Protocol Detection

PromptDev

Registered
Oct 21, 2015
4
0
1
London
cPanel Access Level
Root Administrator
Currently, server is failing PCI Compliance on TCP for TLS 1.0 Protocol Detection in a large number of ports but port 443. Any pointers on how to disable TLS 1.0 for all ports but 443 or any other recommendation to pass that check for PCI would be greatly appreciated.
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
97
78
India
cPanel Access Level
Root Administrator
Twitter

PromptDev

Registered
Oct 21, 2015
4
0
1
London
cPanel Access Level
Root Administrator
Thanks!
I had followed that guide but still Im getting the same and it doesn't have any ciphers specification.
Which ciphers should I be using?
What I'm trying to is to pass the check for TLS 1.0 Protocol Detection, is currently passing for port 443 but is failing in a large number of ports.

I thank you very much in advance for pointing me in the right direction.

What I have is the following:
Code:
- cPanel & WHM (cpsrvd)
TLS/SSL Cipher List
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

TLS/SSL Protocols
SSLv23:!SSLv2:!SSLv3

- Web Disk (cpdavd)
TLS/SSL Cipher List
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

TLS/SSL Protocols
SSLv23:!SSLv2:!SSLv3

- Courier
IMAP TLS/SSL Protocol
Permit SSL v2 or v3 connections and TLSv1.x connections
IMAP TLS/SSL Cipher List
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

POP3 TLS/SSL Protocol
Permit SSL v2 or v3 connections and TLSv1.x connections
POP3 TLS/SSL Cipher List
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

- Apache
SSL Cipher Suite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

SSL/TLS Protocols
All -SSLv2 -SSLv3

- Exim
tls_require_ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

openssl_options
+no_sslv2 +no_sslv3 +no_tlsv1
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,904
2,237
463
Hello :)

Could you provide an example of the ports it's failing on?

Thank you.
 

PromptDev

Registered
Oct 21, 2015
4
0
1
London
cPanel Access Level
Root Administrator
The ports where TLS 1.0 Protocol Detection is failing are the following, as a concrete example I don't have any. Its just that the Security Metrics PCI check its failing due to this.

I thank you in advance for the help.
Code:
9010
9008
9005
9002
9001
9000
8891
8890
8889
8888
8802
8791
8790
8789
8788
8732
8731
8595
8586
8585
8463
8448
8447
8446
8445
8444
8443
8442
8441
8440
8243
8200
8140
8113
8100
8091
8090
8088
8087
8086
8085
8084
8083
8082
8081
8080
8031
8003
8002
8001
8000
7799
7777
7070
7004
7002
7001
7000
6590
6581
6580
6561
6560
6512
6511
6510
6100
6002
6000
5701
5671
5443
5223
5222
5060
5006
5001
5000
4500
4482
4443
4431
4430
4343
4243
4001
4000
3443
3333
3030
3002
2598
2222
2200
2100
[B]2083
2082[/B]
2020
2000
1935
1494
1207
1111
1000
998
843
772
636
556
491
449
446
444
442
441
440
389
91
85
83
82
81
[B]25[/B]
63443
62443
60443
59443
58443
50000
49443
49210
49200
47000
46443
46000
40099
28818
25010
25009
25008
25007
25006
25005
25004
25003
25002
25001
25000
22705
22703
20325
20000
18443
16000
10020
10000
9800
9779
9600
9311
9310
9309
9308
9307
9306
9305
9303
9302
9301
9300
9251
9221
9220
9219
9218
9217
9216
9215
9214
9213
9212
9211
9210
9209
9208
9207
9206
9205
9204
9203
9202
9201
9200
9111
9110
9109
9108
9090
9043
9040
9020
9014
 
Last edited by a moderator:

PromptDev

Registered
Oct 21, 2015
4
0
1
London
cPanel Access Level
Root Administrator
Just found out that that list of ports are actually being reported as open because of the use of a CDN. I'm now in touch with both the CDN provider and Security Metrics to sort this out. I'll post the outcome as soon as I have some more news.

Still I'd like to ask for your help on how to disable TLS v1.0

So far I changed the SSL Cipher Suite in the Apache Global Config to:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

And also tried to use this as SSL/TLS Protocols in the Apache Global Config:

SSLv23:!SSLv2:!SSLv3:!TLSv1

but it didn't work, it returned:

Configuration problem detected on line 220 of file /usr/local/apache/conf/httpd.conf.work.6sDKYtkRenR_AbrX: SSLProtocol: Illegal protocol 'SSLv23:!SSLv2:!SSLv3:!TLSv1'


Many thanks in advance.