Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SOLVED Proftp & TLS 1.0 PCI Compliance

Discussion in 'Security' started by ehask71, Dec 19, 2017.

Tags:
  1. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    I am going crazy 40 days ago my server was PCI compliant ..... now I brought on a new customer and the PCI scanner is flagging for port 21 TLS 1.0

    Anyone have a fix for it?

    ProFTP

    Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    What should the protocols be?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the default cipher list we provide for ProFTPd as of cPanel version 68:

    Code:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Can you update the TLS Cipher Suite to the above value via "WHM Home » Service Configuration » FTP Server Configuration" and let us know if that helps?

    Thank you.
     
  3. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    What is the default for the Protocol field I think we jacked ours up
     
  4. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    It got worse ..... before I only had Server Supports TLS 1.0 protocol

    Now I have RC4 and SWEET32


    upload_2017-12-21_10-45-24.png
     
    #4 ehask71, Dec 21, 2017
    Last edited by a moderator: Dec 21, 2017
  5. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    This is the ciphers for ProFtp on 68.0.21 that passed

    AES128+EECDH:AES128+EDH:!SSLv2:!SSLv3:!3DES
     
    cPanelMichael likes this.
  6. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Where is the raw file where this cipher spec appears? In our WHM 68.0.29 this field only says HIGH
    It's as if the rest has been truncated ! I wish to compare with the actual file and submit bug if something's wrong...
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    618
    Likes Received:
    192
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If all you see is HIGH you may be using the Pure-FTPd (the above posts all referred to the ProFTPd)

    You can find the conf files in
    • /etc/proftpd.conf
    • /etc/pure-ftpd.conf
    I just tried changing from the old HIGH to the HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 using the "WHM Home » Service Configuration » FTP Server Configuration" which updated the Pure-FTPD config and it seems to have worked OK

    Update:

    I am not at all sure a better cipher list would not be HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

    Disabling
    the SSLv3 should prevent Poodle exploits

    I would very much like cPanel to comment on this.
     
    #7 rpvw, Feb 20, 2018
    Last edited: Feb 20, 2018
    cPanelMichael likes this.
  8. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    YES!
    It's Pure-FTP.
    It does say just HIGH in the raw file.

    # SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by default.
    TLSCipherSuite HIGH

    Pure-FTP documentation doesn't detail which strings can be used.

    But I found HIGH is indeed valid:
    /docs/man1.0.2/apps/ciphers.html
    HIGH
    "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.


    It's still a mystery what is actually included in "HIGH".

    Now I have a Dreamweaver user who can not connect due to her older version not having support for TLS 1.2 - this is great! Do I assume then than "HIGH" effectively rules out TLS 1.0 and 1.1. OR does it mean something is installed or NOT or enabled/duisabled elsewhere server-side that would override what FTP wants to allow here ?

    i.e. If server itself allows only TLS 1.2, then a spec in an individual application (such as FTP) couldn't possibly override it. How to check overall SSL specs? It's not that I want to loosen anything up!!! I'd like to be certain I'm correct when I inform client he needs an FTP or web publisher client that supports minimum TLS 1.2
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @ottdev,

    This corresponds to the OpenSSL library installed on your system. Here's a command you can use to see a list of what's included:

    Code:
    openssl ciphers -v 'HIGH'
    Thank you.
     
Loading...

Share This Page