Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SSL Cipher Suite question

Discussion in 'Security' started by morrow95, Jul 2, 2018.

  1. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    In 'Home - Service Configuration - Apache Configuration - Global Configuration' I am using the default SSL Cipher Suite :

    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

    and have SSL/TLS Protocols set to the default TLSv1.2.

    I recently came across an issue with a 3rd party billing processor we use in that it can't connect to our site through https (API type stuff which sends back information to them when they hit the pages). After going back and forth with their support about this they recently came back and said that we are not offering any ciphers they support and that is why they can't connect to our pages. They gave the following list of ciphers they support :

    Cipher# 0: TLS_RSA_WITH_AES_256_CBC_SHA256
    Cipher# 1: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Cipher# 2: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Cipher# 3: TLS_RSA_WITH_AES_256_CBC_SHA
    Cipher# 4: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    Cipher# 5: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Cipher# 6: TLS_RSA_WITH_AES_128_CBC_SHA256
    Cipher# 7: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    Cipher# 8: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    Cipher# 9: TLS_RSA_WITH_AES_128_CBC_SHA
    Cipher# 10: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    Cipher# 11: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    Cipher# 12: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    Cipher# 13: TLS_DH_anon_WITH_AES_256_CBC_SHA256
    Cipher# 14: TLS_DH_anon_WITH_AES_256_CBC_SHA
    Cipher# 15: TLS_DH_anon_WITH_AES_128_CBC_SHA256
    Cipher# 16: TLS_DH_anon_WITH_AES_128_CBC_SHA
    Cipher# 17: SSL_RSA_WITH_DES_CBC_SHA
    Cipher# 18: SSL_DHE_RSA_WITH_DES_CBC_SHA
    Cipher# 19: SSL_DHE_DSS_WITH_DES_CBC_SHA
    Cipher# 20: SSL_DH_anon_WITH_DES_CBC_SHA
    Cipher# 21: TLS_RSA_WITH_NULL_SHA256
    Cipher# 22: SSL_RSA_WITH_NULL_SHA
    Cipher# 23: SSL_RSA_WITH_NULL_MD5
    Cipher# 24: TLS_KRB5_WITH_DES_CBC_SHA
    Cipher# 25: TLS_KRB5_WITH_DES_CBC_MD5

    The first thing on my mind here is if I need to choose one of the above I definitely want to choose the most secure and without any exploit abilities. I tried adding a couple of these one at a time in WHM's Global Configuration and just adding it to the end of the default list and using that list as a custom entry. Apache gets rebuilt and restarted each time. I check to see if our billing processor works properly with https and it still fails.

    I'm not very knowledgeable about ciphers, but have the general idea. I know I should stay away from anything with null, anon, and what not. Is there something else I should be looking at here as I would expect any of the above would work if that is the actual problem? Given the choice, which would be the best to add from their list so as to not bring about any security concerns?
     
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,756
    Likes Received:
    187
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @morrow95

    While I can't give you advice on which of these ciphers specifically would be best I would like to know what the error is you're getting specifically. It could prove helpful in determining how to move forward.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    There is no error. I can't really think of any other way to explain the situation other than what I originally posted. Maybe you skimmed through the post?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,756
    Likes Received:
    187
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @morrow95


    I understood what you were requesting but my assumption was that when you attempt to connect to your billing processor without a compatible cipher suite in place you would be receiving an error in the apache or PHP error logs, what billing processor company is it? Maybe I can help you find some further information on what others are using with the same company (pending I can find more information)

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. morrow95

    morrow95 Well-Known Member

    Joined:
    Oct 8, 2006
    Messages:
    123
    Likes Received:
    3
    Trophy Points:
    168
    It is the other way around, they are connecting to me. So for instance, when an order is completed I tell the system to hit www.example.com/somescript.php on my site (a callback if you want to call it that) and parameters might be posted by them along with it. I might have setup that page to add details to our database or something and/or output data they can then receive. They are not able to connect to those through https, but fine through http. The error THEY are getting is something along the lines of :

    -- ERROR --
    javax.net.ssl.SSLHandshakeException
    Received fatal alert: handshake_failure

    We've been back and forth with them for quite awhile now trying to figure out the issue. They recently came back saying they believe it is because we do not offer any ciphers they currently support. We use the current ECDHE defaults. They provided a list they support listed above. Whether this is actually the problem or not I have no idea, but I am trying to work with them on figuring this out. I know they supposedly went to tls1.2 this past year when everyone was making the push to that change.

    I would rather not list who I am using so there is no bad rep going out with this, but I will say in the 20 years of using various processors the service has been fantastic with only a hiccup here and there.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,756
    Likes Received:
    187
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    HI @morrow95

    After some research on that error I'm finding that this is occurring due to java needing some specific ciphers that are not present by default which would explain why it wasn't able to connect. The problem is I can't tell you which of these would be the best to use as it's outside my realm of expertise. What I did do was add the first ten to my Apache configuration and then the ssl server test at SSL Server Test (Powered by Qualys SSL Labs) and found that several of them seem to be considered weak but there are a few that seem to be neutral and none of them with DSS were tested:

    Code:
    TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 2048 bits   FS
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 no result
    TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 2048 bits   FS
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA no result
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 2048 bits   FS
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256  no result
    TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 2048 bits   FS
    
    You might want to run all of them through but I would only include TLS and non DSS ones, the ones with SSL aren't going to be useful.

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice