The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSLProtocol all -SSLv2

Discussion in 'General Discussion' started by payne, Dec 14, 2006.

  1. payne

    payne Well-Known Member

    Joined:
    May 31, 2003
    Messages:
    103
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Seattle
    In trying to make the server more secure for a Security Metrics certification, they are requesting (read:demanding) I disable SSLv2 protocols.

    I edit the httpd.conf file and add:

    SSLProtocol all -SSLv2

    to the server section. It disables the protocol for sure, but I am then none of the existing SSL/TLS virtual servers work.

    WHM and Cpanel encrypted access still works, though.

    Does anyone know what I am doing wrong?
     
  2. GCIS

    GCIS Active Member

    Joined:
    Dec 12, 2006
    Messages:
    26
    Likes Received:
    0
    Trophy Points:
    1
    Have you enabled compliant modes in your CipherSuite?
     
  3. mitul

    mitul Well-Known Member

    Joined:
    Feb 8, 2003
    Messages:
    291
    Likes Received:
    0
    Trophy Points:
    16
    We had the same issue while auditing our server through security metrics certification.

    SSLProtocol all -SSLv2 worked for us without any issues.
     
  4. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Sorry for digging an old thread but I am having the same problem.

    Where exactly do you add SSLProtocol all -SSLv2 in httpd.conf?

    Thanks ;)
     
  5. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Found it!
    If anyone comes across this the code above should be added within the <IfModule mod_ssl.c> section of your httpd.conf

    Make sure to restart apache.
     
  6. EWD

    EWD Well-Known Member
    PartnerNOC

    Joined:
    Aug 19, 2003
    Messages:
    165
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    NY
    Ok we are back at this again.
    Now with EA3 the code gets removed.

    Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?

    Thanks ;)
     
  7. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Same problem here, when using EA3 that code is missing.
     
  8. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    Go ahead and add it to

    /usr/local/apache/conf/includes/pre_virtualhost_global.conf

    instead
     
  9. 10101

    10101 Well-Known Member

    Joined:
    Sep 4, 2003
    Messages:
    151
    Likes Received:
    0
    Trophy Points:
    16
    Hi,

    I've tried adding:

    SSLProtocol all -SSLv2

    to the file you mentioned however it still shows as active v2, am I adding it correctly?
     
  10. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.

    Looking at the httpd.conf i found the line to be

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

    Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?
     
  11. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.
     
  12. anand

    anand Well-Known Member

    Joined:
    Nov 11, 2002
    Messages:
    1,435
    Likes Received:
    1
    Trophy Points:
    38
    Location:
    India
    cPanel Access Level:
    DataCenter Provider
    I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.

    I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.

    Any other advise on how to get this resolved ?
     
  13. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I'm sure you already know about checking http://layer2.cpanel.net/ for the latest build numbers. Therefore, I recommend letting or technical analysts take a look at that for you.
     
  14. laisharit

    laisharit Registered

    Joined:
    Feb 21, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I have the following in httpd.conf that fixed it for all ports except the cpanel ports:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    I tried all kinds of fixes but the issue with the cpanel ports existed. Then luckily found the instructions at http://blog.serverbuddies.com/tag/pci-compliance-vulnerability/ and it worked! Here's what they suggest on that site:

    --------------------------

    In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file. An example would be editing the following lines to something like:

    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
    After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

    To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

    edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

    This will make cPanel to use sTunnel.

    edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

    and add:

    options = NO_SSLv2
    just below the "Authentication stuff" tab.

    After you have done all this you will need to restart cPanel:

    /etc/init.d/cpanel restart
    Done!

    How to quickly check this?

    SSH to your server and type the following commands

    root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
    root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
    root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
    root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086
    If everything is fine you should receive something like this,

    root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
    CONNECTED(00000003)
    write:errno=104
     
  15. tvcnet

    tvcnet Well-Known Member
    PartnerNOC

    Joined:
    Aug 15, 2003
    Messages:
    116
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    San Diego
    cPanel Access Level:
    DataCenter Provider
    How do you prevent cpanel ports from supporting weak ciphers?

    openssl s_client -host localhost -port 2087 -ssl3 -cipher EXP-RC2-CBC-MD5

    <snip>
    SSL handshake has read 6434 bytes and written 198 bytes
    ---
    New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5
    Server public key is 1024 bit
    SSL-Session:
    Protocol : SSLv3
    Cipher : EXP-RC2-CBC-MD5
    Session-ID: 9A844341A2CC8EDEE56E2138571718FDB60258BB6D52D237C93E65AF600799B9
    <snip>
     
    #15 tvcnet, Oct 13, 2008
    Last edited: Oct 14, 2008
  16. jackal

    jackal Well-Known Member
    PartnerNOC

    Joined:
    Feb 23, 2002
    Messages:
    708
    Likes Received:
    0
    Trophy Points:
    16
    Hello , we are having issues with this on port 465, how to disable it on 465
    TCP 465 urd

    Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

    We added lines in httpd and corrected ports 80 and 443 but we are getting declined for port 465,

    any thoughts?
     
  17. dstlink

    dstlink Member

    Joined:
    Apr 23, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Woodlands, TX
    I'm running the latest Release version of cPanel and reran EasyApache this morning. Still have the old SSLCipher line in my httpd.conf.

    Any suggestions?
     
  18. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    cPanel 11.24 has these changes.
     
  19. dstlink

    dstlink Member

    Joined:
    Apr 23, 2003
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    The Woodlands, TX
    And that is supposed to show up in the "release" tree when? My datacenter supports that branch so I don't want to move up to bleeding edge.

    PCI compliance is becoming a big issue.
     
  20. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Sometime within the next month.
     

Share This Page