SOLVED Proftp & TLS 1.0 PCI Compliance

ehask71

Well-Known Member
Jul 13, 2007
62
5
58
Tampa, Florida, United States
cPanel Access Level
Root Administrator
I am going crazy 40 days ago my server was PCI compliant ..... now I brought on a new customer and the PCI scanner is flagging for port 21 TLS 1.0

Anyone have a fix for it?

ProFTP

Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

What should the protocols be?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
Hello,

Here's the default cipher list we provide for ProFTPd as of cPanel version 68:

Code:
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Can you update the TLS Cipher Suite to the above value via "WHM Home » Service Configuration » FTP Server Configuration" and let us know if that helps?

Thank you.
 

ehask71

Well-Known Member
Jul 13, 2007
62
5
58
Tampa, Florida, United States
cPanel Access Level
Root Administrator
Hello,

Here's the default cipher list we provide for ProFTPd as of cPanel version 68:

Code:
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Can you update the TLS Cipher Suite to the above value via "WHM Home » Service Configuration » FTP Server Configuration" and let us know if that helps?

Thank you.
What is the default for the Protocol field I think we jacked ours up
 

ehask71

Well-Known Member
Jul 13, 2007
62
5
58
Tampa, Florida, United States
cPanel Access Level
Root Administrator
It got worse ..... before I only had Server Supports TLS 1.0 protocol

Now I have RC4 and SWEET32


upload_2017-12-21_10-45-24.png
 
Last edited by a moderator:

ottdev

Well-Known Member
Oct 1, 2013
129
4
68
cPanel Access Level
Root Administrator
Hello,

Here's the default cipher list we provide for ProFTPd as of cPanel version 68:

Code:
HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Can you update the TLS Cipher Suite to the above value via "WHM Home » Service Configuration » FTP Server Configuration" and let us know if that helps?

Thank you.
Where is the raw file where this cipher spec appears? In our WHM 68.0.29 this field only says HIGH
It's as if the rest has been truncated ! I wish to compare with the actual file and submit bug if something's wrong...
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
459
113
UK
cPanel Access Level
Root Administrator
If all you see is HIGH you may be using the Pure-FTPd (the above posts all referred to the ProFTPd)

You can find the conf files in
  • /etc/proftpd.conf
  • /etc/pure-ftpd.conf
I just tried changing from the old HIGH to the HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 using the "WHM Home » Service Configuration » FTP Server Configuration" which updated the Pure-FTPD config and it seems to have worked OK

Update:

I am not at all sure a better cipher list would not be HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

Disabling
the SSLv3 should prevent Poodle exploits

I would very much like cPanel to comment on this.
 
Last edited:
  • Like
Reactions: cPanelMichael

ottdev

Well-Known Member
Oct 1, 2013
129
4
68
cPanel Access Level
Root Administrator
YES!
It's Pure-FTP.
It does say just HIGH in the raw file.

# SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by default.
TLSCipherSuite HIGH

Pure-FTP documentation doesn't detail which strings can be used.

But I found HIGH is indeed valid:
/docs/man1.0.2/apps/ciphers.html
HIGH
"high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.


It's still a mystery what is actually included in "HIGH".

Now I have a Dreamweaver user who can not connect due to her older version not having support for TLS 1.2 - this is great! Do I assume then than "HIGH" effectively rules out TLS 1.0 and 1.1. OR does it mean something is installed or NOT or enabled/duisabled elsewhere server-side that would override what FTP wants to allow here ?

i.e. If server itself allows only TLS 1.2, then a spec in an individual application (such as FTP) couldn't possibly override it. How to check overall SSL specs? It's not that I want to loosen anything up!!! I'd like to be certain I'm correct when I inform client he needs an FTP or web publisher client that supports minimum TLS 1.2
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,218
463
It's still a mystery what is actually included in "HIGH".
Hello @ottdev,

This corresponds to the OpenSSL library installed on your system. Here's a command you can use to see a list of what's included:

Code:
openssl ciphers -v 'HIGH'
Thank you.