The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance - TLS 1.0 Protocol Detection

Discussion in 'Security' started by PromptDev, Oct 26, 2015.

  1. PromptDev

    PromptDev Registered

    Joined:
    Oct 21, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Currently, server is failing PCI Compliance on TCP for TLS 1.0 Protocol Detection in a large number of ports but port 443. Any pointers on how to disable TLS 1.0 for all ports but 443 or any other recommendation to pass that check for PCI would be greatly appreciated.
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  3. PromptDev

    PromptDev Registered

    Joined:
    Oct 21, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Thanks!
    I had followed that guide but still Im getting the same and it doesn't have any ciphers specification.
    Which ciphers should I be using?
    What I'm trying to is to pass the check for TLS 1.0 Protocol Detection, is currently passing for port 443 but is failing in a large number of ports.

    I thank you very much in advance for pointing me in the right direction.

    What I have is the following:
    Code:
    - cPanel & WHM (cpsrvd)
    TLS/SSL Cipher List
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    TLS/SSL Protocols
    SSLv23:!SSLv2:!SSLv3
    
    - Web Disk (cpdavd)
    TLS/SSL Cipher List
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    TLS/SSL Protocols
    SSLv23:!SSLv2:!SSLv3
    
    - Courier
    IMAP TLS/SSL Protocol
    Permit SSL v2 or v3 connections and TLSv1.x connections
    IMAP TLS/SSL Cipher List
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
    POP3 TLS/SSL Protocol
    Permit SSL v2 or v3 connections and TLSv1.x connections
    POP3 TLS/SSL Cipher List
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    
    - Apache
    SSL Cipher Suite
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    SSL/TLS Protocols
    All -SSLv2 -SSLv3
    
    - Exim
    tls_require_ciphers
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    
    openssl_options
    +no_sslv2 +no_sslv3 +no_tlsv1
    
    
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,685
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. PromptDev

    PromptDev Registered

    Joined:
    Oct 21, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    The ports where TLS 1.0 Protocol Detection is failing are the following, as a concrete example I don't have any. Its just that the Security Metrics PCI check its failing due to this.

    I thank you in advance for the help.
    Code:
    9010
    9008
    9005
    9002
    9001
    9000
    8891
    8890
    8889
    8888
    8802
    8791
    8790
    8789
    8788
    8732
    8731
    8595
    8586
    8585
    8463
    8448
    8447
    8446
    8445
    8444
    8443
    8442
    8441
    8440
    8243
    8200
    8140
    8113
    8100
    8091
    8090
    8088
    8087
    8086
    8085
    8084
    8083
    8082
    8081
    8080
    8031
    8003
    8002
    8001
    8000
    7799
    7777
    7070
    7004
    7002
    7001
    7000
    6590
    6581
    6580
    6561
    6560
    6512
    6511
    6510
    6100
    6002
    6000
    5701
    5671
    5443
    5223
    5222
    5060
    5006
    5001
    5000
    4500
    4482
    4443
    4431
    4430
    4343
    4243
    4001
    4000
    3443
    3333
    3030
    3002
    2598
    2222
    2200
    2100
    [B]2083
    2082[/B]
    2020
    2000
    1935
    1494
    1207
    1111
    1000
    998
    843
    772
    636
    556
    491
    449
    446
    444
    442
    441
    440
    389
    91
    85
    83
    82
    81
    [B]25[/B]
    63443
    62443
    60443
    59443
    58443
    50000
    49443
    49210
    49200
    47000
    46443
    46000
    40099
    28818
    25010
    25009
    25008
    25007
    25006
    25005
    25004
    25003
    25002
    25001
    25000
    22705
    22703
    20325
    20000
    18443
    16000
    10020
    10000
    9800
    9779
    9600
    9311
    9310
    9309
    9308
    9307
    9306
    9305
    9303
    9302
    9301
    9300
    9251
    9221
    9220
    9219
    9218
    9217
    9216
    9215
    9214
    9213
    9212
    9211
    9210
    9209
    9208
    9207
    9206
    9205
    9204
    9203
    9202
    9201
    9200
    9111
    9110
    9109
    9108
    9090
    9043
    9040
    9020
    9014
    
    
     
    #5 PromptDev, Nov 2, 2015
    Last edited by a moderator: Nov 2, 2015
  6. PromptDev

    PromptDev Registered

    Joined:
    Oct 21, 2015
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Just found out that that list of ports are actually being reported as open because of the use of a CDN. I'm now in touch with both the CDN provider and Security Metrics to sort this out. I'll post the outcome as soon as I have some more news.

    Still I'd like to ask for your help on how to disable TLS v1.0

    So far I changed the SSL Cipher Suite in the Apache Global Config to:

    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

    And also tried to use this as SSL/TLS Protocols in the Apache Global Config:

    SSLv23:!SSLv2:!SSLv3:!TLSv1

    but it didn't work, it returned:

    Configuration problem detected on line 220 of file /usr/local/apache/conf/httpd.conf.work.6sDKYtkRenR_AbrX: SSLProtocol: Illegal protocol 'SSLv23:!SSLv2:!SSLv3:!TLSv1'


    Many thanks in advance.
     
Loading...

Share This Page