Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Proftp & TLS 1.0 PCI Compliance

Discussion in 'Security' started by ehask71, Dec 19, 2017.

Tags:
  1. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    I am going crazy 40 days ago my server was PCI compliant ..... now I brought on a new customer and the PCI scanner is flagging for port 21 TLS 1.0

    Anyone have a fix for it?

    ProFTP

    Ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

    What should the protocols be?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's the default cipher list we provide for ProFTPd as of cPanel version 68:

    Code:
    HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
    Can you update the TLS Cipher Suite to the above value via "WHM Home » Service Configuration » FTP Server Configuration" and let us know if that helps?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    What is the default for the Protocol field I think we jacked ours up
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    It got worse ..... before I only had Server Supports TLS 1.0 protocol

    Now I have RC4 and SWEET32


    upload_2017-12-21_10-45-24.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 ehask71, Dec 21, 2017
    Last edited by a moderator: Dec 21, 2017
  5. ehask71

    ehask71 Well-Known Member

    Joined:
    Jul 13, 2007
    Messages:
    54
    Likes Received:
    4
    Trophy Points:
    58
    Location:
    Tampa, Florida, United States
    cPanel Access Level:
    Root Administrator
    This is the ciphers for ProFtp on 68.0.21 that passed

    AES128+EECDH:AES128+EDH:!SSLv2:!SSLv3:!3DES
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael likes this.
  6. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Where is the raw file where this cipher spec appears? In our WHM 68.0.29 this field only says HIGH
    It's as if the rest has been truncated ! I wish to compare with the actual file and submit bug if something's wrong...
     
  7. rpvw

    rpvw Well-Known Member

    Joined:
    Jul 18, 2013
    Messages:
    678
    Likes Received:
    224
    Trophy Points:
    43
    Location:
    Spain
    cPanel Access Level:
    Root Administrator
    If all you see is HIGH you may be using the Pure-FTPd (the above posts all referred to the ProFTPd)

    You can find the conf files in
    • /etc/proftpd.conf
    • /etc/pure-ftpd.conf
    I just tried changing from the old HIGH to the HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3 using the "WHM Home » Service Configuration » FTP Server Configuration" which updated the Pure-FTPD config and it seems to have worked OK

    Update:

    I am not at all sure a better cipher list would not be HIGH:MEDIUM:+TLSv1:!SSLv2:!SSLv3

    Disabling
    the SSLv3 should prevent Poodle exploits

    I would very much like cPanel to comment on this.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 rpvw, Feb 20, 2018
    Last edited: Feb 20, 2018
    cPanelMichael likes this.
  8. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    YES!
    It's Pure-FTP.
    It does say just HIGH in the raw file.

    # SSL is disabled by default. TLS 1.0, 1.1 and 1.2 are available by default.
    TLSCipherSuite HIGH

    Pure-FTP documentation doesn't detail which strings can be used.

    But I found HIGH is indeed valid:
    /docs/man1.0.2/apps/ciphers.html
    HIGH
    "high" encryption cipher suites. This currently means those with key lengths larger than 128 bits, and some cipher suites with 128-bit keys.


    It's still a mystery what is actually included in "HIGH".

    Now I have a Dreamweaver user who can not connect due to her older version not having support for TLS 1.2 - this is great! Do I assume then than "HIGH" effectively rules out TLS 1.0 and 1.1. OR does it mean something is installed or NOT or enabled/duisabled elsewhere server-side that would override what FTP wants to allow here ?

    i.e. If server itself allows only TLS 1.2, then a spec in an individual application (such as FTP) couldn't possibly override it. How to check overall SSL specs? It's not that I want to loosen anything up!!! I'd like to be certain I'm correct when I inform client he needs an FTP or web publisher client that supports minimum TLS 1.2
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello @ottdev,

    This corresponds to the OpenSSL library installed on your system. Here's a command you can use to see a list of what's included:

    Code:
    openssl ciphers -v 'HIGH'
    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice