SOLVED PCI Scan Fails On Web Services Ports

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
Trustwave does the PCI scans for my server. The 3 ports, 2083, 2087, and 2096 continue to fail for these ciphers:
TLSv1_1 : RC4-SHA
TLSv1_1 : RC4-MD5
TLSv1_2 : RC4-SHA
TLSv1_2 : RC4-MD5
TLSv1_1 : DES-CBC3-SHA
TLSv1_2 : DES-CBC3-SHA

Here are my current settings in WHM > Service Configuration > cPanel Web Services Configuration:

TLS/SSL Cipher List:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5:!DES-CBC3-SHA:!DSS

TLS/SSL Protocols:
SSLv23:!SSLv2:!SSLv3:!TLSv1

You can see at the end of this cipher list where I have excluded the offending ciphers.
I have tried many, many combinations of ciphers, not only in this Web Services Config, but also in Apache Global Config settings. Regardless of what I try I can't get rid of these pci failing ciphers.

Here is my openssl version:
root [/]# rpm -qa | grep openssl
openssl-devel-1.0.1e-60.el7.x86_64
openssl-libs-1.0.1e-60.el7.x86_64
openssl-1.0.1e-60.el7.x86_64
root [/]# _

Could there be a cipher config file somewhere that is overriding my settings?
Could this be a false positive?

Not sure what to try next. Any suggestions?

Thx,
SJR
 

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
As an additional note, I have ports 2082, 2083, 2086, 2087, 2095, and 2096 open in CSF.
I understand these ports are used for:
2082 cPanel
2083 cPanel SSL
2086 WHM
2087 WHM SSL
2095 Webmail
2096 Webmail SSL

So far I am not able to verify whether or not the non-secure ports (2082, 2086, 2095) can be closed in the firewall without causing any issues with cPanel. My thought is that maybe the PCI scanner is seeing something in the SSL ports that somehow has something to do with the non-secure ports. I will test and explore this further.
 

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
After doing a little research, it appears that it is ok to close the non-secure ports in CSF, so I have closed ports 2082, 2086, and 2095. I also removed a couple other non-essential ports out of the firewall, making sure all open ports are minimal and required.
I followed these guidelines:
How to Configure Your Firewall for cPanel Services - cPanel Knowledge Base - cPanel Documentation

I ran another pci scan and it failed for exactly the same ciphers as prior.
I'm also running the latest version of Centos 7.3 60.0.28.

Not sure what to try next. :(
 

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
Next update...

I changed my settings in WHM > Service Configuration > cPanel Web Services Configuration, to:

TLS/SSL Cipher List:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5

(This is the same list as suggested in: Security/Server Side TLS - MozillaWiki
for the 'Modern Compatibility', with the specific exclusions at the end.)

TLS/SSL Protocols:
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1

(I chose to exclude TLSv1_1 since I am the only one using the Web Services ports)

The next PCI scan showed these failing ciphers on the same 3 ports (TLSv1_2 is only protocol not excluded from protocol list):
TLSv1_2 : RC4-SHA
TLSv1_2 : RC4-MD5
TLSv1_2 : DES-CBC3-SHA

For the PCI failing cipher DES-CBC3-SHA, one of Trustwave's directions for remediation is:
"If disabling 64 bit block ciphers is not possible, please limit the number of requests client can make in a single TLS session and / or the keep-alive timeout value. As stated before, successful attack requires huge amounts of data gathered in a single TLS session (without rekeying)."

WHM > Service Configuration > Apache Configuration > Keep Alive > Off. Turning this setting off complies with Trustwave's directions above. I then disputed the cipher DES-CBC3-SHA showing I had compensating controls in place and it was approved.

So, now I am down to just 2 PCI fails on the 3 ports, 2083, 2087, and 2096:
TLSv1_2 : RC4-SHA
TLSv1_2 : RC4-MD5

Note: In a different area of the scan report it shows "Enumerated TLS/SSL Cipher Suites", and then shows a list of ciphers in which the failing two above are included in the list.

Unless I am mistaken, there must be some library or config file that has a list of ciphers available on these 3 ports, and 'excluding' the ciphers in the 'cPanel Web Services Configuration' list is 'not' removing them from being seen as available ciphers on these ports.

Still hoping someone has a solution...
 

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
Note: On this "Enumerated TLS/SSL Cipher Suites" list mentioned above from the scan, there are 13 ciphers listed. None of the 13 ciphers in this list are ciphers that are included in my cPanel Web Services Configuration > TLS/SSL Cipher List.

However, when I log into any of the 3 services on the 3 ports that are failing on the PCI scan (2083 cPanel, 2087 WHM, 2096 Webmail), the cipher that is used in the connection is the 2nd cipher in the list of ciphers that I have entered in the TLS/SSL Cipher List.

So again, unless I am mistaken, the scan is seeing 13 ciphers, two of which are causing the pci scan to fail. And these 13 ciphers are not in my entered cipher list. And, these 13 ciphers are apparently not being used in the actual connection, but they are somehow showing up as available on the scan.

Where could these be coming from, and how do I turn them off or disable them? Help!
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

It looks like you've opened a support ticket for additional assistance with this issue. I'll update this thread with the outcome of the support ticket once the ticket closes.

Thanks!
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

To update, internal case CPANEL-10758 was opened to address an issue where the initial implementation of SNI in cpsrvd overlooked the cipher list setting in WHM, which server administrators utilize for PCI compliance. I'll update this thread again once the resolution is published.

Thanks!
 

Serra

Well-Known Member
Oct 27, 2005
258
17
168
Florida
Hello,

To update, internal case CPANEL-10758 was opened to address an issue where the initial implementation of SNI in cpsrvd overlooked the cipher list setting in WHM, which server administrators utilize for PCI compliance. I'll update this thread again once the resolution is published.

Thanks!
Thank you.
 

SJR

Active Member
Jan 2, 2017
29
4
3
USA
cPanel Access Level
Website Owner
Update:

I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line:
"Fixed case CPANEL-10796: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting."

As of January 30th, cPanel version 62 went to the RELEASE tier.
After I upgraded my server to version 62.0.7, I ran a PCI scan and it passed on all 3 ports. (2083 cPanel, 2087 WHM, 2096 Webmail)
There are times that Trustwave's scan doesn't seem consistent, but I believe the problem is now fixed. I will confirm after a second scan runs.
 

Serra

Well-Known Member
Oct 27, 2005
258
17
168
Florida
Update:

I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line:
"Fixed case CPANEL-10796: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting."
Good. I've yet to get it. Should be in a day or so.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Update:

I have not yet seen case CPANEL-10758 in any changelog, but in cPanel verion 62.0.5 I see this line:
"Fixed case CPANEL-10796: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting."

As of January 30th, cPanel version 62 went to the RELEASE tier.
After I upgraded my server to version 62.0.7, I ran a PCI scan and it passed on all 3 ports. (2083 cPanel, 2087 WHM, 2096 Webmail)
There are times that Trustwave's scan doesn't seem consistent, but I believe the problem is now fixed. I will confirm after a second scan runs.
Hello,

I'm happy to see the issue is now addressed.

CPANEL-10796 is the case number for this resolution in cPanel version 62, whereas CPANEL-10758 is the case number for cPanel version 60 (not yet published). Both cases include the same resolution.

Thank you.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,911
2,233
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

The resolution for cPanel version 60 is now published as part of cPanel version 60.0.36:

Fixed case CPANEL-10758: Make cpsrvd’s SNI obey the server’s Web Services cipher list setting.

Thanks!
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
Trustwave still fails on these two issues each month:

1) Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32

2) SSL/TLS Weak Encryption Algorithms

Both on port 21.

I have done these things suggested in this post.

cpanel version 64.0.24

TLS/SSL Cipher is:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!DES:!3DES:!RC4:!MD5:!RC4-SHA:!RC4-MD5

TLS/SSL Protocals are:
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1
 

eglwolf

Well-Known Member
Jan 1, 2004
190
0
166
SSL/TLS Weak Encryption Algorithms
The SSL-based service running on this host appears to support the use of "weak" ciphers such as:
- Ciphers suites that have key-lengths of less than 128 bits.
- Ciphers suites using anonymous Diffie-Hellman algorithms (no authentication).
- Ciphers suites offering no encryption.
- Ciphers suites using pre-shared keys.
- Ciphers suites using RC4 or MD5.
Please note that this vulnerability CANNOT be disputed using a Risk Mitigation and Migration plan. This is a separate finding and must be treated as such.


Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
This is a cipher vulnerability, not limited to any specific SSL/TLS software implementation. DES and Tripple DES (3DES) block ciphers with a block size of 64 bits, have a birthday bound of approximately 4 billion blocks (or 2 to the power of 32, hence the name of this vulnerability). A man-in-the-middle (MitM) attacker, who is able to capture a large amount of encrypted network traffic, can recover sensitive plain text data.

NOTE: Cipher block size must not be confused with key length. DES / 3DES ciphers are vulnerable because they always operate on 64 bit blocks regardless of the key length. If this vulnerability is detected, and in the list of detected ciphers you see only entries with numbers different than 64 (eg. TLSv1 112 bits ECDHE-RSA-DES-CBC3-SHA), the detection is still valid, because '112 bits' is the key length.
 

Serra

Well-Known Member
Oct 27, 2005
258
17
168
Florida
Just to be clear, you are putting that here: HomeHome »Service Configuration »FTP Server Configuration under the TLS Cipher Suite and you are using Pure-FTP?