The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL BEAST Workaround for WHM/cPanel

Discussion in 'Security' started by tmorton2, Nov 21, 2012.

  1. tmorton2

    tmorton2 Member

    Joined:
    Oct 11, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    My PCI compliance scanner recently changed their criteria to make the SSL BEAST vulnerability a failing criteria for PCI-DSS compliance. I've configured Apache to not be vulnerable with a combination of:

    Code:
    SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
    SSLProtocol ALL -SSLv2
    SSLHonorCipherOrder On
    
    SSL Labs says my sever is no longer vulnerable. However, when I test 2087 using beast.pl, it is reported as vulnerable to BEAST. How can I configure cPanel/WHM to not be vulnerable and pass the PCI scan?

    Thank you!
     
  2. beddo

    beddo Well-Known Member

    Joined:
    Jan 19, 2007
    Messages:
    157
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    England
    cPanel Access Level:
    DataCenter Provider
    SSL Labs is probably only testing port 443. If you have gone into Apache configuration and set the cipher suite there then you have corrected the problem for Apache but NOT for cPanel/WHM. To do this you have to set the cipher suite in "cPanel Web Services Configuration" as well.

    Code:
    RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CBC3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA
    I have this cipher suite set in Apache which seems to work well.
     
  3. tmorton2

    tmorton2 Member

    Joined:
    Oct 11, 2012
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Aha, thanks beddo! I knew that setting had to be there somewhere. Looks like everything is good now.
     
  4. WillDashwood

    WillDashwood Member

    Joined:
    Oct 12, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I've been trying to fix these BEAST vulnerabilities too. Jesse from cPanel support kindly pointed me in the direction of this thread. Just in case anyone else is wondering (like I did), the follow code should be added in pre_virtualhost_global.conf under Service Configuration >> Apache Configuration >> Include Editor.

    Code:
    SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
    SSLProtocol ALL -SSLv2
    SSLHonorCipherOrder On
    After adding that and restarting Apache, beast.pl reports all OK on port 443. Just awaiting a rescan of the PCI audit to confirm.

    However, I'm having no such luck with the cPanel ports. I've added the code beddo suggested above under Service Configuration >> cPanel Web Services Configuration but when I run beast.pl on port 2087 it says...

    Jesse says that at the moment there isn't a workaround but they are implementing a feature for this to be disabled in 11.36. The case reference is #63039.

    tmorton2 and beddo, did you manage to fix this on the cPanel ports?
     
  5. WillDashwood

    WillDashwood Member

    Joined:
    Oct 12, 2004
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    It seems that the PCI scan has come back fine now on the cPanel ports so I guess the change beddo suggested above does work after all and that the beast.pl script isn't reporting correctly.

    Now all I need to do is secure the mail service as the PCI report now flags ports 995, 465, 993 and 143 as vulnerable. Any ideas on that?
     
  6. gkgcpanel

    gkgcpanel Well-Known Member

    Joined:
    Jun 6, 2007
    Messages:
    217
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    DataCenter Provider
    Well, according to SSL-Labs at

    https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

    Update (19 March 2013): This blog post advises to use RC4 to migitate the
    BEAST attack, but RC4 has recently been discovered to be weaker than
    previously known. At this point the attacks against RC4 are still not
    practical. The only fully safe choice at the moment is the AES-GCM suites
    supported only in TLS 1.2.

    So now how do we guard against BEAST?? Another cipher change/addition?
     
  7. ethical

    ethical Well-Known Member

    Joined:
    Apr 7, 2009
    Messages:
    79
    Likes Received:
    2
    Trophy Points:
    8
    We have to wait for cpanel to allow TLS1.2 would be my guess?
     
  8. alphawolf50

    alphawolf50 Well-Known Member

    Joined:
    Apr 28, 2011
    Messages:
    186
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
Loading...

Share This Page