SSL BEAST Workaround for WHM/cPanel

tmorton2

Member
Oct 11, 2012
9
0
1
cPanel Access Level
Root Administrator
Hello,

My PCI compliance scanner recently changed their criteria to make the SSL BEAST vulnerability a failing criteria for PCI-DSS compliance. I've configured Apache to not be vulnerable with a combination of:

Code:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSL Labs says my sever is no longer vulnerable. However, when I test 2087 using beast.pl, it is reported as vulnerable to BEAST. How can I configure cPanel/WHM to not be vulnerable and pass the PCI scan?

Thank you!
 

beddo

Well-Known Member
Jan 19, 2007
159
1
168
England
cPanel Access Level
DataCenter Provider
SSL Labs is probably only testing port 443. If you have gone into Apache configuration and set the cipher suite there then you have corrected the problem for Apache but NOT for cPanel/WHM. To do this you have to set the cipher suite in "cPanel Web Services Configuration" as well.

Code:
RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CBC3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA
I have this cipher suite set in Apache which seems to work well.
 

WillDashwood

Member
Oct 12, 2004
13
1
153
I've been trying to fix these BEAST vulnerabilities too. Jesse from cPanel support kindly pointed me in the direction of this thread. Just in case anyone else is wondering (like I did), the follow code should be added in pre_virtualhost_global.conf under Service Configuration >> Apache Configuration >> Include Editor.

Code:
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:!MD5:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
After adding that and restarting Apache, beast.pl reports all OK on port 443. Just awaiting a rescan of the PCI audit to confirm.

However, I'm having no such luck with the cPanel ports. I've added the code beddo suggested above under Service Configuration >> cPanel Web Services Configuration but when I run beast.pl on port 2087 it says...

## The target is PRONE to BEAST attack. ##

Protocol: TLS v1
Server Preferred Cipher: AES256-SHA
Vulnerable: YES
Jesse says that at the moment there isn't a workaround but they are implementing a feature for this to be disabled in 11.36. The case reference is #63039.

tmorton2 and beddo, did you manage to fix this on the cPanel ports?
 

WillDashwood

Member
Oct 12, 2004
13
1
153
It seems that the PCI scan has come back fine now on the cPanel ports so I guess the change beddo suggested above does work after all and that the beast.pl script isn't reporting correctly.

Now all I need to do is secure the mail service as the PCI report now flags ports 995, 465, 993 and 143 as vulnerable. Any ideas on that?
 

gkgcpanel

Well-Known Member
Jun 6, 2007
214
1
166
cPanel Access Level
DataCenter Provider
Well, according to SSL-Labs at

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls

Update (19 March 2013): This blog post advises to use RC4 to migitate the
BEAST attack, but RC4 has recently been discovered to be weaker than
previously known. At this point the attacks against RC4 are still not
practical. The only fully safe choice at the moment is the AES-GCM suites
supported only in TLS 1.2.

So now how do we guard against BEAST?? Another cipher change/addition?