Protect against SSL/TLS CBC vulnerability
Written by Jacob NicholsonIn this article we'll discuss a server side fix for the SSL 3.0 (Secure Socket Layer) and TLS 1.0 (Transport Layer Security) vulnerability in handling ciphers that use CBC (Cipher-Block-Chaining). If you read our previous article on how to pass PCI compliance scans, this is one of the tests that a PCI vendor might fail your website on when they scan it.
As of April, 2012, PCI scanning vendors started identifying web servers running SSL 3.0 and TLS 1.0 as vulnerable even when not running Java. There was only one known exploit released called BEAST (Browser Exploit Against SSL/TLS) which was a web-browser only attack. However some PCI vendors will still fail your server as a security precaution, if this is the case you can use the steps below to update your service's cipher to a stream cipher such as RC4, rather than a block cipher.
The steps mentioned below would first require you having root access to your server, and then you'd want to login to your server via SSH to follow along.
- You will need to modify 7 service configuration files, the first thing you'd want to run is the following command to make a copy of all of these files with a .backup extension:
for configFile in /var/cpanel/conf/pureftpd/main /var/cpanel/templates/apache2/main.local /var/cpanel/cpanel.config /usr/local/cpanel/etc/stunnel/default/stunnel.conf /etc/exim.conf.local /usr/lib/courier-imap/etc/imapd-ssl /usr/lib/courier-imap/etc/pop3d-ssl; do cp -frp $configFile{,.backup}; done
- For Pure-FTP, edit the file /var/cpanel/conf/pureftpd/main
Replace the line:
TLSCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
With the following text:
TLSCipherSuite: "!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5"Run the following command to make the change active, and restart Pure-FTP
/usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration && service pure-ftpd restart
You can test it now with the following command:
openssl s_client -connect localhost:21 -starttls ftp - For Apache, edit the file /var/cpanel/templates/apache2/main.local
Replace the lines:
[% IF supported.mod_ssl -%]
# SSLCipherSuite can be set in WHM under 'Apache Global Configuration'
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]
SSLProtocol -ALL +SSLv3 +TLSv1With the following text:
[% IF supported.mod_ssl -%]
SSLProtocol -ALL -SSLv2 +SSLv3 +TLSv1
SSLHonorCipherOrder on
SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5Run the following command to make the change active, and restart Apache
/scripts/rebuildhttpdconf && service httpd stop && service httpd startYou can test it now with the following commands:
openssl s_client -connect yourdomain.com:443 -ssl3
openssl s_client -connect yourdomain.com:443 -tls1 - For cPanel, edit the file /var/cpanel/cpanel.config
Replace the line:
nativessl=1With the following text:
nativessl=0For stunnel, edit the file /usr/local/cpanel/etc/stunnel/default/stunnel.conf
Replace the line:
# Authentication stuff
With the following text:
# Authentication stuff
options = NO_SSLv2
ciphers = !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5Run the following command to make the changes active, and restart cPanel
service cpanel restart
You can test it now with the following commands:
openssl s_client -connect localhost:2083 -ssl3
openssl s_client -connect localhost:2083 -tls1
openssl s_client -connect localhost:2087 -ssl3
openssl s_client -connect localhost:2087 -tls1 - For Exim (SMTP), edit the file /etc/exim.conf.local
Replace the line:
tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
With the following text:
tls_require_ciphers = -ALL:!SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD55
Run the following command to make the changes active, and restart Exim
/scripts/buildeximconf && service exim restart
You can test it now with the following commands:
openssl s_client -connect localhost:465 -tls1
openssl s_client -connect localhost:465 -ssl3 - For Courier (IMAP), edit the file /usr/lib/courier-imap/etc/imapd-ssl
Replace the line:
TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
With the following text:
TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
For Courier (POP3), edit the file /usr/lib/courier-imap/etc/pop3d-ssl
Replace the line:
TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
With the following text:
TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5
Run the following command to make the changes active, and restart Courier
service courier-authlib restart && service courier-imap stop && service courier-imap start
You can test it now with the following commands:
openssl s_client -connect localhost:993 -ssl3
openssl s_client -connect localhost:993 -tls1
openssl s_client -connect localhost:995 -ssl3
openssl s_client -connect localhost:995 -tls1
You should now know how to update all of your service's ciphers to help protect against this possible vulnerability that could cause a PCI scan to fail.
Latest Questions
Need more Help?
Search
Ask the Community!
Current Customers
| Chat: | Click to Chat Now | E-mail: | support@InMotionHosting.com |
|---|---|---|---|
| Call: | 888-321-HOST (4678) | Ticket: | Submit a Support Ticket |