Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED Pure-FTPd Cipher Settings

Discussion in 'Security' started by grayloon, Nov 28, 2016.

  1. grayloon

    grayloon Well-Known Member

    Joined:
    Oct 31, 2007
    Messages:
    108
    Likes Received:
    3
    Trophy Points:
    68
    Location:
    Evansville, IN
    cPanel Access Level:
    Root Administrator
    Twitter:
    Now, I'm trying to figure out how to disable DES and 3DES for Pure-FTPd. I changed my TLS Cipher Suite to:
    When I test my server with SSLyze, I still see this weak cipher listed:
    #sslyze --starttls=ftp --regular 162.209.0.20:21
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @grayloon,

    Feel free to open a support ticket so we can take a closer look to determine why those cipher settings are not enacted on your system. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JerryB

    JerryB Member

    Joined:
    Dec 7, 2016
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    NL
    cPanel Access Level:
    DataCenter Provider
    Hi,

    we have the same problem running WHM 60.0 (build 26)
    It looks like a bug in pure-ftpd.

    I checked the release notes for pure-ftpd:

    * Version 1.0.43: The -J switch didn't work any more in 1.0.42. This has been fixed.

    The -J switch sets the cipher settings.

    Cpanel is running: pure-ftpd-1.0.42-6.cp1156.x86_64
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Could you open a support ticket so we can take a closer look? It's possible we may need to open an internal case, but we may also address this with the nature of how Pure-FTPd is compiled on a cPanel server.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Dhaupin

    Dhaupin Active Member

    Joined:
    Jan 3, 2014
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    A couple days ago we changed the ciphers in one of our cPanel servers to harden for PCI. Today I'm checking scan results and its still requiring a couple 3DES ciphers to be disabled...which i thought already were.

    I changed the ciphers in WHM (FTP Server Configuration) then checked using nmap via another box. Nothing is changing, even when putting default ciphers back in. What is interesting is that TLSv1.0 is still available as well, even with !TLSv1

    This is the command I am using to check right to the raw IP (no proxy):
    # nmap --script ssl-cert,ssl-enum-ciphers -p 21 123.123.123.123

    I feel like either I'm missing something obvious, or this nmap script is not working right. Any thoughts? Thanks.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    You will need to switch to ProFTPd via "WHM >> FTP Server Selection" to meet PCI Compliance at this time due to current restrictions with the Pure-FTPd configuration. Once it's enabled, you can then browse to "WHM Home » Service Configuration » FTP Server Configuration" and remove the TLSv1 entry from the "TLS Protocol" section.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Dhaupin

    Dhaupin Active Member

    Joined:
    Jan 3, 2014
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Pure-ftp is not applying the cipher list in general. The results of "nmap ... ssl-enum-ciphers" VS "openssl ciphers ..." show different ciphers.

    Is this going to be repaired? Or, is there a workaround in the meantime? Quotas and BFD are kinda important.
     
  8. Dhaupin

    Dhaupin Active Member

    Joined:
    Jan 3, 2014
    Messages:
    41
    Likes Received:
    4
    Trophy Points:
    8
    cPanel Access Level:
    Root Administrator
    Both the TLS1.0 and 3DES persistence are def PureFTP bugs that are repaired in 1.0.45. The bug/case is CPANEL-11369 to get the cPanel version upgraded or wrapped.

    Hopefully the fix is coming soon :)
     
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    Internal case CPANEL-11369 is open for the consideration of PureFTPd version 1.0.45's inclusion with cPanel. This would help to address the issue where custom TLSCipherSuite values are not applied, resulting in PCI compliance failures. I'll update this thread with more information on the status of this case as it becomes available.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,749
    Likes Received:
    1,886
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    To update, this is fixed in cPanel version 64:

    Fixed case CPANEL-11369: Update pure-ftpd to 1.0.45-1.cp1156.

    Note that as of PureFTPd 1.0.45, PureFTPd no longer supports the TLSv1 security protocol.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice