The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port 21 PCI Failures after upgrade to 11.32

Discussion in 'General Discussion' started by mtbwacko, Apr 6, 2012.

  1. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    I have spent days trying to figure this out and I really need help. Qualys is now failing our PCI scan with:

    QID: 38142 SSL Server Allows Anonymous Authentication Vulnerability Port 21

    Their solution is to set the PureFTP TLSCipherSuite to -ALL +SSLv3 +TLSv1. This setting causes the FTP daemon to fail. I have tried every setting possible and it does not solve the problem. They are testing this using the following command:

    openssl s_client -connect 66.135.52.75:21 -cipher aNULL -starttls ftp

    Has anyone come across this and have you found a solution? cPanel techs?

    Thanks!
    Greg
     
  2. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    386
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
  3. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    Thanks for the reply but the first thing I did was to make sure it wasn't a false positive. As stated in my original post, if you run the command:

    openssl s_client -connect 66.135.52.75:21 -cipher aNULL -starttls ftp

    You will see that the handshake completes, and it shouldn't. Does anyone else have a solution before I contact cPanel support?

    Thanks,
    Greg
     
  4. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Changing this:

    Code:
    TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    to this:

    Code:
    TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3:-aNULL
    in /etc/pure-ftpd.conf and restarting FTPd works for me.


    Before:

    Code:
    # openssl s_client -connect localhost:21 -cipher aNULL -starttls ftp
    CONNECTED(00000003)
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 764 bytes and written 275 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ADH-AES256-SHA
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : ADH-AES256-SHA
        Session-ID: 204A7C8EF4A301633F56840CDE313807836D7FA4EE5DA97B62135BF8DF7E89DA
        Session-ID-ctx: 
        Master-Key: 1CC2E38E23FF46FE8FB6A4DEA3148A2D5D3198313532708520131788418C03BD584A04ECA33E1983CFFDF3CBAC160853
        Key-Arg   : None
        Krb5 Principal: None
        Start Time: 1333806114
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    220 You will be disconnected after 15 minutes of inactivity.
    

    and after:

    Code:
    # openssl s_client -connect localhost:21 -cipher aNULL -starttls ftp
    CONNECTED(00000003)
    14126:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
    

    I've verified that FTPd still works as expected when not specifying aNULL as an authentication algorithm:

    Code:
    # openssl s_client -connect localhost:21 -starttls ftp
    I am connected ok.

    Here's a helpful page with more information pertaining to the TLSCipherSuite option (it's on the ProFTPd site, but the info is still applicable):


    TLSCipherSuite


    Please let us know if this helps.
     
  5. mtbwacko

    mtbwacko Well-Known Member

    Joined:
    Nov 30, 2004
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    cPanelJeff you rock! That's exactly the answer I was looking for and it works perfectly! Thank you so much. What a relief!

    Greg
     
Loading...

Share This Page