SSLProtocol all -SSLv2

[payne]

In trying to make the server more secure for a Security Metrics certification, they are requesting (read:demanding) I disable SSLv2 protocols.

I edit the httpd.conf file and add:

SSLProtocol all -SSLv2

to the server section. It disables the protocol for sure, but I am then none of the existing SSL/TLS virtual servers work.

WHM and Cpanel encrypted access still works, though.

Does anyone know what I am doing wrong?

 

[GCIS]

Have you enabled compliant modes in your CipherSuite?

 

[mitul]

We had the same issue while auditing our server through security metrics certification.

SSLProtocol all -SSLv2 worked for us without any issues.

 

[EWD]

Sorry for digging an old thread but I am having the same problem.

Where exactly do you add SSLProtocol all -SSLv2 in httpd.conf?

Thanks

 

[EWD]

Found it!
If anyone comes across this the code above should be added within the <IfModule mod_ssl.c> section of your httpd.conf

Make sure to restart apache.

 

[EWD]

Ok we are back at this again.
Now with EA3 the code gets removed.

Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?

Thanks

 

[10101]

Ok we are back at this again.
Now with EA3 the code gets removed.

Anyone one know which include file I could add that code to as to not get overwritten next time EA3 runs again?

Thanks

Same problem here, when using EA3 that code is missing.

 

[cPanelNick]

Same problem here, when using EA3 that code is missing.

Go ahead and add it to

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

instead

 

[10101]

Go ahead and add it to

/usr/local/apache/conf/includes/pre_virtualhost_global.conf

instead

Hi,

I've tried adding:

SSLProtocol all -SSLv2

to the file you mentioned however it still shows as active v2, am I adding it correctly?

 

[anand]

Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.

Looking at the httpd.conf i found the line to be

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?

 

[cPanelDavidG]

Even after adding "SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP" and when trying to regenerate httpd.conf, the weak cipher error still appears.

Looking at the httpd.conf i found the line to be

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

Is there anyway to change this so cpanel doesn't replace it with default line, and thus remove the weak cipher problem ?

The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.

 

[anand]

I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.

I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.

Any other advise on how to get this resolved ?

 

[cPanelDavidG]

I checked and found cpanel/whm to be latest on the server, even running upcp doesn't update anything. Further, i have on this client server apache 2.0, php 4+5, both setup to the latest versions.

I even tried to regenerate the httpd.conf in hope of it updating the line, but no luck.

Any other advise on how to get this resolved ?

I'm sure you already know about checking http://layer2.cpanel.net/ for the latest build numbers. Therefore, I recommend letting or technical analysts take a look at that for you.

 

[laisharit]

I have the following in httpd.conf that fixed it for all ports except the cpanel ports:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

I tried all kinds of fixes but the issue with the cpanel ports existed. Then luckily found the instructions at http://blog.serverbuddies.com/tag/pci-compliance-vulnerability/ and it worked! Here's what they suggest on that site:

--------------------------

In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file. An example would be editing the following lines to something like:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

This will make cPanel to use sTunnel.

edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

and add:

options = NO_SSLv2
just below the "Authentication stuff" tab.

After you have done all this you will need to restart cPanel:

/etc/init.d/cpanel restart
Done!

How to quickly check this?

SSH to your server and type the following commands

root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086
If everything is fine you should receive something like this,

root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
CONNECTED(00000003)
write:errno=104

 

[tvcnet]

How do you prevent cpanel ports from supporting weak ciphers?

openssl s_client -host localhost -port 2087 -ssl3 -cipher EXP-RC2-CBC-MD5

<snip>
SSL handshake has read 6434 bytes and written 198 bytes
---
New, TLSv1/SSLv3, Cipher is EXP-RC2-CBC-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : SSLv3
Cipher : EXP-RC2-CBC-MD5
Session-ID: 9A844341A2CC8EDEE56E2138571718FDB60258BB6D52D237C93E65AF600799B9
<snip>

 

[jackal]

Hello , we are having issues with this on port 465, how to disable it on 465
TCP 465 urd

Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Description : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf Solution: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/kb/216482 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. Risk Factor: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

We added lines in httpd and corrected ports 80 and 443 but we are getting declined for port 465,

any thoughts?

 

[dstlink]

The default line is ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP on the latest builds of cPanel/WHM (all branches). You may desire to update cPanel/WHM on your server.

I'm running the latest Release version of cPanel and reran EasyApache this morning. Still have the old SSLCipher line in my httpd.conf.

Any suggestions?

 

[cPanelKenneth]

I'm running the latest Release version of cPanel and reran EasyApache this morning. Still have the old SSLCipher line in my httpd.conf.

Any suggestions?

cPanel 11.24 has these changes.

 

[dstlink]

cPanel 11.24 has these changes.

And that is supposed to show up in the "release" tree when? My datacenter supports that branch so I don't want to move up to bleeding edge.

PCI compliance is becoming a big issue.

 

[cPanelKenneth]

And that is supposed to show up in the "release" tree when? My datacenter supports that branch so I don't want to move up to bleeding edge.

PCI compliance is becoming a big issue.

Sometime within the next month.