In this article we’ll discuss a server side fix for the SSL 3.0 (Secure Socket Layer) and TLS 1.0 (Transport Layer Security) vulnerability in handling ciphers that use CBC (Cipher-Block-Chaining). If you read our previous article on how to pass PCI compliance scans, this is one of the tests that a PCI vendor might fail your website on when they scan it.
As of April, 2012, PCI scanning vendors started identifying web servers running SSL 3.0 and TLS 1.0 as vulnerable even when not running Java. There was only one known exploit released called BEAST (Browser Exploit Against SSL/TLS) which was a web-browser only attack. However some PCI vendors will still fail your server as a security precaution, if this is the case you can use the steps below to update your service’s cipher to a stream cipher such as RC4, rather than a block cipher.
The steps mentioned below would first require you having root access to your server, and then you’d want to login to your server via SSH to follow along.
- You will need to modify 7 service configuration files, the first thing you’d want to run is the following command to make a copy of all of these files with a .backup extension:
for configFile in /var/cpanel/conf/pureftpd/main /var/cpanel/templates/apache2/main.local /var/cpanel/cpanel.config /usr/local/cpanel/etc/stunnel/default/stunnel.conf /etc/exim.conf.local /usr/lib/courier-imap/etc/imapd-ssl /usr/lib/courier-imap/etc/pop3d-ssl; do cp -frp $configFile{,.backup}; done
- For Pure-FTP, edit the file /var/cpanel/conf/pureftpd/mainReplace the line:
TLSCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
With the following text:
TLSCipherSuite: "!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5"
Run the following command to make the change active, and restart Pure-FTP
/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration && service pure-ftpd restart
You can test it now with the following command:
openssl s_client -connect localhost:21 -starttls ftp
- For Apache, edit the file /var/cpanel/templates/apache2/main.localReplace the lines:
[% IF supported.mod_ssl -%] # SSLCipherSuite can be set in WHM under 'Apache Global Configuration' [% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %] SSLProtocol -ALL +SSLv3 +TLSv1
With the following text:
[% IF supported.mod_ssl -%] SSLProtocol -ALL -SSLv2 +SSLv3 +TLSv1 SSLHonorCipherOrder on SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
Run the following command to make the change active, and restart Apache
/scripts/rebuildhttpdconf && service httpd stop && service httpd start
You can test it now with the following commands:
openssl s_client -connect example.com:443 -ssl3 openssl s_client -connect example.com:443 -tls1
- For cPanel, edit the file /var/cpanel/cpanel.configReplace the line:
nativessl=1
With the following text:
nativessl=0
For stunnel, edit the file /usr/local/cpanel/etc/stunnel/default/stunnel.conf
Replace the line:
# Authentication stuff
With the following text:
# Authentication stuff options = NO_SSLv2 ciphers = !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
Run the following command to make the changes active, and restart cPanel
service cpanel restart
You can test it now with the following commands:
openssl s_client -connect localhost:2083 -ssl3 openssl s_client -connect localhost:2083 -tls1 openssl s_client -connect localhost:2087 -ssl3 openssl s_client -connect localhost:2087 -tls1
- For Exim (SMTP), edit the file /etc/exim.conf.localReplace the line:
tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
With the following text:
tls_require_ciphers = -ALL:!SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD55
Run the following command to make the changes active, and restart Exim
/scripts/buildeximconf && service exim restart
You can test it now with the following commands:
openssl s_client -connect localhost:465 -tls1 openssl s_client -connect localhost:465 -ssl3
- For Courier (IMAP), edit the file /usr/lib/courier-imap/etc/imapd-sslReplace the line:
TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
With the following text:
TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
For Courier (POP3), edit the file /usr/lib/courier-imap/etc/pop3d-ssl
Replace the line:
TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
With the following text:
TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
Run the following command to make the changes active, and restart Courier
service courier-authlib restart && service courier-imap stop && service courier-imap start
You can test it now with the following commands:
openssl s_client -connect localhost:993 -ssl3 openssl s_client -connect localhost:993 -tls1 openssl s_client -connect localhost:995 -ssl3 openssl s_client -connect localhost:995 -tls1
You should now know how to update all of your service’s ciphers to help protect against this possible vulnerability that could cause a PCI scan to fail.
According to scott this is an outdated page, but his post was made in 2015 whereas this was supposedly published April 21, 2016. Does that mean that this page has been updated and is no longer out of date?
Thank you for contacting us. This article’s content has not been updated, just basic changes (such as misspellings, etc.) were made when it was republished.
I have added a red alert warning to the top of the page to let everyone know.
Thank you,
John-Paul
We’ll be happy to review the article. Which part did you encounter that requires an update?
Another note/question…
After implementing the steps that matched the instructions, I can no longer access any of my accounts cPanels at all? Is that what PCI requires??? Or have I done something wrong? I’m rolling back to my backups until I get an answer to this question.
Hello Carl,
This article is old and for older versions of cPanel. According to our Systems team, our servers have been updated, so they are now compatible. I would undo anything you have done and just send in the PCI evaluation to the Support Team so they can fix any areas that need to be addressed.
Kindest Regards,
Scott M
I don’t know if these steps are out of date or what, but there are a number of discrepancies between what these steps say SHOULD be in the files and what I’m actually seeing in the files on my server.
In Step 2, my TLSCipherSuite line looks like this:
TLSCipherSuite: HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3
Is it still to be replaced with the line indicated above?
In Step 3, I do not have a file called ‘main.local’. There is a file called ‘main.default’. Should I make the edit to this file?
Also, in main.default, the text indicated above is different. Here is what I have:
[% IF supported.mod_ssl -%]
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]
[% IF main.sslprotocol.item.sslprotocol.length %]SSLProtocol [% main.sslprotocol.item.sslprotocol %][% END %]
SSLPassPhraseDialog builtin
How does the change above apply in this situation?
The files in Step 4 seem to match the instructions. However, what should the result of the restart and the ‘tests’ be? For each test, I’m seeing this:
socket: Connection refused
connect:errno=111
Is that what I’m supposed to see?
The files in Step 5 also seems to match the instructions, but after completing the change and running the test commands, I do not get the connection refused result. Rather, I’m getting a lot of output that begins with (I’ve replace my VPS#):
CONNECTED(00000003)
depth=0 CN = vpsXXXXX.inmotionhosting.com, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = vpsXXXXX.inmotionhosting.com, emailAddress = [email protected]
verify return:1
This is followed by what appears to be the actual certificate text. Is this what’s supposed to happen?
Step 6 is similar to Step 5…the lines match, but after making the changes, restarting Courier and running the test commands, I get full certificate output just like in step 5.
Could you please clarify these points?
Thank you.