The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI Compliance

Discussion in 'General Discussion' started by FourMat, Jan 21, 2009.

  1. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    I am trying to set up my server to pass the PCI compliance test administered by SecurityMetrics. They have identified several issues that I can easily correct like FP extensions (turned them off) and disable UserDir.

    The big issue that I have is of Weak Ciphers. I have done a lot of research and have run across a lot of various people that have had issues with this. I think I know what to change and where to change it, but there are so many conflicting opinions and advice that I'm not sure what to change and where. Here are my specs:

    cPanel 11.24.4-R33385 - WHM 11.24.2 - X 3.9
    CENTOS 5.2 x86_64 on standard
    OpenSSL 0.9.8b

    Here is the output from the PCI scan:

    Code:
    Synopsis : The remote service supports the use of weak SSL ciphers.
    Description : The remote host supports the use of SSL ciphers that offer
    either weak encryption or no encryption at all. See also :
    http://www.openssl.org/docs/apps/ciphers
    <http://www.openssl.org/docs/apps/ciphers.html>  .html Solution: Reconfigure
    the affected application if possible to avoid use of weak ciphers. Risk
    Factor: Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
    Plugin output : Here is the list of weak SSL ciphers supported by the remote
    server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5
    Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA
    Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA
    Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40)
    Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
    export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1
    EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
    EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5
    Kx=RSA(512) Au=RSA Enc=RC4(40)
    Currently in my Apache Global Configuration I have this as the SSLCipherSuite:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    I found a recommendation at this link that recommends this:

    Code:
    Add these lines to your httpd.conf (you may to add them to each secure vhost as well):
    
    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

    Because the it is identified as SSLCipherSuite in WHM, I'm not sure how to handle the SSLProtocol item.

    My question is, would this be the proper syntax to add the above recommendation to the Apache Global Configuration window inside of whm:

    Code:
    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:-ALL +SSLv3 +TLSv1


    If this isn't correct can someone recommend the proper syntax for this? Thanks!
     
  2. prodigious

    prodigious Member

    Joined:
    Feb 7, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi there,

    I have the same issue and while there are other threads on this forum that talk about it, I haven't been able to come up with a solution.

    This is what I have, from a suggestion by the people at Security Metrics (the 3rd party firm that is telling me to change the cipher settings):

    HIGH:MEDIUM:!ADH

    And apparently, it still isn't good enough.

    If anyone has been down this road before and knows what needs to be in Apache 2.2.x for this to pass these @$)@(!$ PCI tests (can you tell I'm a bit frustrated? ha), please share!!

    -Mike
     
  3. FourMat

    FourMat Active Member

    Joined:
    Jun 10, 2004
    Messages:
    34
    Likes Received:
    0
    Trophy Points:
    6
    OK, I have just switched out my settings and passed the PCI compliance test through Security Metrics:

    In the Apache Global Settings for SSLCipherSuite:
    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:+SSLv3:+TLSv1:RC4+RSA:+HIGH:+MEDIUM

    Enter this with no other changes, and you should be OK, or at least I was.
     
  4. bornonline

    bornonline Well-Known Member

    Joined:
    Nov 19, 2004
    Messages:
    139
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    Well.. I need to try that then..:)

    This is what I have in httpd.conf. This took me a while to get working too.
    The SSLProtocol setting was never in my httpd.conf, but the SSLCipher setting was. I have had mixed results it seems to. At first just adding this was not enough. I also had to add it to ever virtual host that is using SSl. I have removed it from all the virtual host entries and it is only in the httpd.conf at the top.

    I then run /usr/local/cpanel/bin/apache_conf_distiller --update
    which works, but if I then run /usr/local/cpanel/bin/build_apache_conf all the settings that worked are gone. I cannot figure out why it will not keep the settings. So, now I just do a distiller update and not a conf rebuild.

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


    Use this to test..

    http://www.foundstone.com/us/resources/proddesc/ssldigger.htm
     
  5. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    I get invalid cipher string when using this.
     
  6. SB-Nick

    SB-Nick Well-Known Member

    Joined:
    Aug 26, 2008
    Messages:
    134
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
  7. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    1.
    SSLProtocol -ALL +SSLv3 +TLSv1
    2.
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


    These go in the ssl.conf

    I currently have:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

    Also what about all of the VirtualHost containers that allow SSL V2? And will cpanel hold this edit to the ssl.conf?
     
    #7 rligg, Feb 18, 2009
    Last edited: Feb 18, 2009
  8. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    I am still failing on port 443. Weak Ciphers.
     
  9. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I broke down and opened a ticket with cPanel on this problem, and after several techs got involved, with no results, it was assigned to Jamyn. That guy rocks. He got me compliant quickly. I suggested that Jamyn document his steps for the cPanel community and he said "I'm working on a more permanent solution & documentation."

    If you get stuck on this, I might suggest you open a ticket, and request Jamyn to work with you on it (I'm telling you, after nobody could get this working for me, he had it nailed in a heartbeat)

    I just went back and looked at my ticket, and here is the stuff he did with regards to weak ciphers. I hope this helps....

    - Scott
     
  10. rligg

    rligg Well-Known Member

    Joined:
    Sep 16, 2003
    Messages:
    277
    Likes Received:
    0
    Trophy Points:
    16
    The Global Apache Config keeps telling me that

    ALL:!aNULL:!eNULL:!NULL:!ADH:!EXP:!kEDH:RC4+RSA:+H IGH:+MEDIUM:-LOW:-SSLv2

    Invalid cipher string so it uses the default of:

    ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
     
  11. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I logged into my WHM (11.24) > Apache Configuration > Global Configuration, and here is a direct cut and paste:

    ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1

    I am not sure why this does not match Jamyn's documentation. But you might try this one.

    - Scott
     
Loading...

Share This Page