The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PCI: Weak Supported Ssl Ciphers Suites on 465, 993, 995, 2083, 2087, 2096

Discussion in 'General Discussion' started by rpertiet, Oct 15, 2008.

  1. rpertiet

    rpertiet Member

    Joined:
    Apr 21, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    On ports 465, 993, 995, 2083, 2087, 2096 I have SSLv3 and TLSv1 setup. During PCI scanning I now get the message:

    Weak Supported Ssl Ciphers Suites on these ports.

    How can I manually change these ports to use a strong enough cipher to pass PCI scanning?
     
  2. wiszmaster

    wiszmaster Active Member

    Joined:
    Jun 11, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
  3. velda

    velda Well-Known Member

    Joined:
    Aug 24, 2005
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Utah
    Is there anything we can do in the meantime? We're wracking our brains here wondering why McAfee/Scanalert reports weak ciphers on port 465 when we've got imap-ssl set with TLS_PROTOCOL=SSL3 but does Scanalert care? No ;-p

    Can anyone point me in the right direction to fix this? even if we have to keep fixing it manually till cPanel implements this fix?

    (May have found it here: http://forums.cpanel.net/showthread.php?t=61374&highlight=cipher+465 )
     
    #3 velda, Oct 21, 2008
    Last edited: Oct 21, 2008
  4. rpertiet

    rpertiet Member

    Joined:
    Apr 21, 2007
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Thanks to the power of Google I've passed McAfee/Scanalert on all ports.

    For 465:
    Add this to exim.conf

    tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

    And then restart exim.
     
  5. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    Use stunnel

    You can disable the weak ciphers in the stunnel configuration. If you do a ps aux | grep stunnel, it will show the command using a config file with a .run extension. You can disable the weak ciphers in the config file. It is in the same folder as the .run file just without the .run at the end. You need to have native ssl support in tweak settings disabled for this to work though. It will fix cpanel, exim, and courier though since they all will use stunnel for ssl instead of native support. I forget the exact syntax for what needs to be added but I will try to remember tomorrow to get it.
     
  6. sirdopes

    sirdopes Well-Known Member
    PartnerNOC

    Joined:
    Sep 25, 2007
    Messages:
    141
    Likes Received:
    0
    Trophy Points:
    16
    The configuration file looks is usually /usr/local/cpanel/etc/stunnel/default/stunnel.conf

    This file can sometimes be different but will show up in the processes.

    cpanel 14295 0.0 0.0 3804 980 ? Ss 05:04 0:00 /usr/sbin/stunnel /usr/local/cpanel/etc/stunnel/default/stunnel.conf.run


    Then just add the following 2 lines below the setuid and setgid lines.

    options = NO_SSLv2
    ciphers = ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


    This will disable the weak ciphers in ssl.
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    The default for cPanel 11.24 is to disable support for weak ciphers by default. This includes Exim, Courier, etc. not just cPanel.
     
Loading...

Share This Page