SSL BEAST Workaround for WHM/cPanel

[tmorton2]

Hello,

My PCI compliance scanner recently changed their criteria to make the SSL BEAST vulnerability a failing criteria for PCI-DSS compliance. I've configured Apache to not be vulnerable with a combination of:

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On

SSL Labs says my sever is no longer vulnerable. However, when I test 2087 using beast.pl, it is reported as vulnerable to BEAST. How can I configure cPanel/WHM to not be vulnerable and pass the PCI scan?

Thank you!

 

[beddo]

SSL Labs is probably only testing port 443. If you have gone into Apache configuration and set the cipher suite there then you have corrected the problem for Apache but NOT for cPanel/WHM. To do this you have to set the cipher suite in "cPanel Web Services Configuration" as well.

RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CBC3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA

I have this cipher suite set in Apache which seems to work well.

 

[tmorton2]

Aha, thanks beddo! I knew that setting had to be there somewhere. Looks like everything is good now.

 

[WillDashwood]

I've been trying to fix these BEAST vulnerabilities too. Jesse from cPanel support kindly pointed me in the direction of this thread. Just in case anyone else is wondering (like I did), the follow code should be added in pre_virtualhost_global.conf under Service Configuration >> Apache Configuration >> Include Editor.

SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On

After adding that and restarting Apache, beast.pl reports all OK on port 443. Just awaiting a rescan of the PCI audit to confirm.

However, I'm having no such luck with the cPanel ports. I've added the code beddo suggested above under Service Configuration >> cPanel Web Services Configuration but when I run beast.pl on port 2087 it says...

## The target is PRONE to BEAST attack. ##

Protocol: TLS v1
Server Preferred Cipher: AES256-SHA
Vulnerable: YES

Jesse says that at the moment there isn't a workaround but they are implementing a feature for this to be disabled in 11.36. The case reference is #63039.

tmorton2 and beddo, did you manage to fix this on the cPanel ports?

 

[WillDashwood]

It seems that the PCI scan has come back fine now on the cPanel ports so I guess the change beddo suggested above does work after all and that the beast.pl script isn't reporting correctly.

Now all I need to do is secure the mail service as the PCI report now flags ports 995, 465, 993 and 143 as vulnerable. Any ideas on that?

 

[gkgcpanel]

Well, according to SSL-Labs at

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

Update (19 March 2013): This blog post advises to use RC4 to migitate the
BEAST attack, but RC4 has recently been discovered to be weaker than
previously known. At this point the attacks against RC4 are still not
practical. The only fully safe choice at the moment is the AES-GCM suites
supported only in TLS 1.2.

So now how do we guard against BEAST?? Another cipher change/addition?

 

[ethical]

We have to wait for cpanel to allow TLS1.2 would be my guess?

 

[alphawolf50]

We have to wait for cpanel to allow TLS1.2 would be my guess?

People can help speed the process by voting "thumbs up" on this feature request:

Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2 | cPanel Feature Requests

I see you already have, Ethical