SOLVED PCI Fails - Sweet32 on Ports 2083/2087


Well-Known Member
Jan 1, 2004
Today, my PCI scan failed because of the same issue Sweet32. However, this time it is on ports 2087 and 2083. I've changed nothing for 3 months and all was good. What did cpanel change that would have caused this?

Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

Port: tcp/2083
Port: tcp/2087

This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.

CVE: CVE-2016-2183
NVD: CVE-2016-2183

Service: http
Application: cpanel:cpanel
CVE-2016-2183 - Red Hat Customer Portal
Sweet32: Birthday attacks on 64-bit block ciphers in TLS and OpenVPN
The SWEET32 Issue, CVE-2016-2183 - OpenSSL Blog
Cipher Suite: TLSv1_2 : ECDHE-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : EDH-RSA-DES-CBC3-SHA
Cipher Suite: TLSv1_2 : DES-CBC3-SHA


cP Technical Analyst II
Staff member
May 15, 2017
cPanel Access Level
Root Administrator
Hi eglwolf,

It looks like you've already found one of the threads that concerns this issue:
SOLVED - PCI Scan Fails On Web Services Ports

Have you tried updating the cipher suite at WHM > Service Configuration >cPanel Web Services Configuration to one provided in the thread?:
SOLVED - PCI Scan Fails On Web Services Ports

Could you also confirm your current cPanel version and OS release? My test box shows this CVE patched in the openssl package:
# rpm -q openssl --changelog|grep -A1 2016-2183
- mitigate CVE-2016-2183 - degrade all 64bit block ciphers and RC4 to
  112 bit effective strength
We also have an internal case(CPANEL-11108) concerning disabling these ciphers by default, which was implemented in cPanel 66.



Well-Known Member
Jan 1, 2004
I made this change and it worked. I believe the recent cpanel update reset these settings that we previously had which caused it to fail.

cPanel Web Services Configuration
TLS/SSL Cipher List