In this article we'll discuss a server side fix for the SSL 3.0 (Secure Socket Layer) and TLS 1.0 (Transport Layer Security) vulnerability in handling ciphers that use CBC (Cipher-Block-Chaining). If you read our previous article on how to pass PCI compliance scans, this is one of the tests that a PCI vendor might fail your website on when they scan it.

As of April, 2012, PCI scanning vendors started identifying web servers running SSL 3.0 and TLS 1.0 as vulnerable even when not running Java. There was only one known exploit released called BEAST (Browser Exploit Against SSL/TLS) which was a web-browser only attack. However some PCI vendors will still fail your server as a security precaution, if this is the case you can use the steps below to update your service's cipher to a stream cipher such as RC4, rather than a block cipher.

The steps mentioned below would first require you having root access to your server, and then you'd want to login to your server via SSH to follow along.

 

  1. You will need to modify 7 service configuration files, the first thing you'd want to run is the following command to make a copy of all of these files with a .backup extension:

    for configFile in /var/cpanel/conf/pureftpd/main /var/cpanel/templates/apache2/main.local /var/cpanel/cpanel.config /usr/local/cpanel/etc/stunnel/default/stunnel.conf /etc/exim.conf.local /usr/lib/courier-imap/etc/imapd-ssl /usr/lib/courier-imap/etc/pop3d-ssl; do cp -frp $configFile{,.backup}; done

     

  2. For Pure-FTP, edit the file /var/cpanel/conf/pureftpd/main

    Replace the line:

    TLSCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

    With the following text:

    TLSCipherSuite: "!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5"

    Run the following command to make the change active, and restart Pure-FTP

    /usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration && service pure-ftpd restart

    You can test it now with the following command:

    openssl s_client -connect localhost:21 -starttls ftp

     

  3. For Apache, edit the file /var/cpanel/templates/apache2/main.local

    Replace the lines:

    [% IF supported.mod_ssl -%]
    # SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
    [% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]
    SSLProtocol -ALL +SSLv3 +TLSv1

    With the following text:

    [% IF supported.mod_ssl -%]
    SSLProtocol -ALL -SSLv2 +SSLv3 +TLSv1
    SSLHonorCipherOrder on
    SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

    Run the following command to make the change active, and restart Apache

    /scripts/rebuildhttpdconf && service httpd stop && service httpd start

    You can test it now with the following commands:

    openssl s_client -connect yourdomain.com:443 -ssl3
    openssl s_client -connect yourdomain.com:443 -tls1

     

  4. For cPanel, edit the file /var/cpanel/cpanel.config

    Replace the line:

    nativessl=1

    With the following text:

    nativessl=0

    For stunnel, edit the file /usr/local/cpanel/etc/stunnel/default/stunnel.conf

    Replace the line:

    # Authentication stuff

    With the following text:

    # Authentication stuff
    options = NO_SSLv2
    ciphers = !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

    Run the following command to make the changes active, and restart cPanel

    service cpanel restart

    You can test it now with the following commands:

    openssl s_client -connect localhost:2083 -ssl3
    openssl s_client -connect localhost:2083 -tls1
    openssl s_client -connect localhost:2087 -ssl3
    openssl s_client -connect localhost:2087 -tls1

     

  5. For Exim (SMTP), edit the file /etc/exim.conf.local

    Replace the line:

    tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2

    With the following text:

    tls_require_ciphers = -ALL:!SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD55

    Run the following command to make the changes active, and restart Exim

    /scripts/buildeximconf && service exim restart

    You can test it now with the following commands:

    openssl s_client -connect localhost:465 -tls1
    openssl s_client -connect localhost:465 -ssl3

     

  6. For Courier (IMAP), edit the file /usr/lib/courier-imap/etc/imapd-ssl

    Replace the line:

    TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

    With the following text:

    TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

    For Courier (POP3), edit the file /usr/lib/courier-imap/etc/pop3d-ssl

    Replace the line:

    TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH

    With the following text:

    TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

    Run the following command to make the changes active, and restart Courier

    service courier-authlib restart && service courier-imap stop && service courier-imap start

    You can test it now with the following commands:

    openssl s_client -connect localhost:993 -ssl3
    openssl s_client -connect localhost:993 -tls1
    openssl s_client -connect localhost:995 -ssl3
    openssl s_client -connect localhost:995 -tls1

     

You should now know how to update all of your service's ciphers to help protect against this possible vulnerability that could cause a PCI scan to fail.

Did you find this article helpful?

We value your feedback!

Why was this article not helpful? (Check all that apply)
The article is too difficult or too technical to follow.
There is a step or detail missing from the instructions.
The information is incorrect or out-of-date.
It does not resolve the question/problem I have.
How did you find this article?
Please tell us how we can improve this article:
Email Address
Name

new! - Enter your name and email address above and we will post your feedback in the comments on this page!

Like this Article?

Related Questions

Here are a few questions related to this article that our customers have asked:
Ooops! It looks like there are no questions about this page.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Post a Comment

Name:
Email Address:
Phone Number:
Comment:
Submit

Please note: Your name and comment will be displayed, but we will not show your email address.

0 Questions & Comments

Post a comment

Back to first comment | top

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!