payne

Well-Known Member
May 31, 2003
103
0
166
Seattle
In trying to make the server more secure for a Security Metrics certification, they are requesting (read:demanding) I disable SSLv2 protocols.

I edit the httpd.conf file and add:

SSLProtocol all -SSLv2

to the server section. It disables the protocol for sure, but I am then none of the existing SSL/TLS virtual servers work.

WHM and Cpanel encrypted access still works, though.

Does anyone know what I am doing wrong?
 

mitul

Well-Known Member
Feb 8, 2003
291
0
166
We had the same issue while auditing our server through security metrics certification.

SSLProtocol all -SSLv2 worked for us without any issues.
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Sorry for digging an old thread but I am having the same problem.

Where exactly do you add SSLProtocol all -SSLv2 in httpd.conf?

Thanks ;)
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Found it!
If anyone comes across this the code above should be added within the <IfModule mod_ssl.c> section of your httpd.conf

Make sure to restart apache.
 

EWD

Well-Known Member
PartnerNOC
Aug 19, 2003
165
0
166
NY
Ok we are back at this again.
Now with EA3 the code gets removed.

Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?

Thanks ;)
 

anand

Well-Known Member
Nov 11, 2002
1,435
1
168
India
cPanel Access Level
DataCenter Provider
Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.

Looking at the httpd.conf i found the line to be

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
10
313
Houston, TX
cPanel Access Level
Root Administrator
Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.

Looking at the httpd.conf i found the line to be

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?
The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.
 

anand

Well-Known Member
Nov 11, 2002
1,435
1
168
India
cPanel Access Level
DataCenter Provider
I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.

I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.

Any other advise on how to get this resolved ?
 

cPanelDavidG

Technical Product Specialist
Nov 29, 2006
11,216
10
313
Houston, TX
cPanel Access Level
Root Administrator
I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.

I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.

Any other advise on how to get this resolved ?
I'm sure you already know about checking http://layer2.cpanel.net/ for the latest build numbers. Therefore, I recommend letting or technical analysts take a look at that for you.
 

laisharit

Registered
Feb 21, 2007
1
0
151
I have the following in httpd.conf that fixed it for all ports except the cpanel ports:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

I tried all kinds of fixes but the issue with the cpanel ports existed. Then luckily found the instructions at http://blog.serverbuddies.com/tag/pci-compliance-vulnerability/ and it worked! Here's what they suggest on that site:

--------------------------

In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file. An example would be editing the following lines to something like:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

This will make cPanel to use sTunnel.

edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

and add:

options = NO_SSLv2
just below the "Authentication stuff" tab.

After you have done all this you will need to restart cPanel:

/etc/init.d/cpanel restart
Done!

How to quickly check this?

SSH to your server and type the following commands

[email protected] [~]# openssl s_client -ssl2 -connect localhost:2096
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2083
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2087
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2086
If everything is fine you should receive something like this,

[email protected] [~]# openssl s_client -ssl2 -connect localhost:2096
CONNECTED(00000003)
write:errno=104
 

tvcnet

Well-Known Member
PartnerNOC
Aug 15, 2003
118
0
166
San Diego
cPanel Access Level
DataCenter Provider
How do you prevent cpanel ports from supporting weak ciphers?

openssl s_client -host localhost -port 2087 -ssl3 -cipher EXP-RC2-CBC-MD5

<snip>
SSL handshake has read 6434 bytes and written 198 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EXP-RC2-CBC-MD5
Session-ID: 9A844341A2CC8EDEE56E2138571718FDB60258BB6D52D237C93E65AF600799B9
<snip>
 
Last edited:

jackal

Well-Known Member
PartnerNOC
Feb 23, 2002
708
0
316
Hello , we are having issues with this on port 465, how to disable it on 465
TCP 465 urd

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

We added lines in httpd and corrected ports 80 and 443 but we are getting declined for port 465,

any thoughts?
 

dstlink

Member
Apr 23, 2003
11
0
151
The Woodlands, TX
The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.
I'm running the latest Release version of cPanel and reran EasyApache this morning. Still have the old SSLCipher line in my httpd.conf.

Any suggestions?