Protect against SSL/TLS CBC vulnerability Updated on August 16, 2021 by InMotion Hosting Contributor 4 Minutes, 9 Seconds to Read **Notice: This article is for an older version of cPanel and is not up-to-date! We do not recommend following this guide since InMotion servers have already addressed this vulnerability. In this article we’ll discuss a server side fix for the SSL 3.0 (Secure Socket Layer) and TLS 1.0 (Transport Layer Security) vulnerability in handling ciphers that use CBC (Cipher-Block-Chaining). If you read our previous article on how to pass PCI compliance scans, this is one of the tests that a PCI vendor might fail your website on when they scan it. As of April, 2012, PCI scanning vendors started identifying web servers running SSL 3.0 and TLS 1.0 as vulnerable even when not running Java. There was only one known exploit released called BEAST (Browser Exploit Against SSL/TLS) which was a web-browser only attack. However some PCI vendors will still fail your server as a security precaution, if this is the case you can use the steps below to update your service’s cipher to a stream cipher such as RC4, rather than a block cipher. The steps mentioned below would first require you having root access to your server, and then you’d want to login to your server via SSH to follow along. You will need to modify 7 service configuration files, the first thing you’d want to run is the following command to make a copy of all of these files with a .backup extension: for configFile in /var/cpanel/conf/pureftpd/main /var/cpanel/templates/apache2/main.local /var/cpanel/cpanel.config /usr/local/cpanel/etc/stunnel/default/stunnel.conf /etc/exim.conf.local /usr/lib/courier-imap/etc/imapd-ssl /usr/lib/courier-imap/etc/pop3d-ssl; do cp -frp $configFile{,.backup}; done For Pure-FTP, edit the file /var/cpanel/conf/pureftpd/mainReplace the line: TLSCipherSuite: ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 With the following text: TLSCipherSuite: "!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5" Run the following command to make the change active, and restart Pure-FTP /usr/local/cpanel/whostmgr/bin/whostmgr2 doftpconfiguration && service pure-ftpd restart You can test it now with the following command: openssl s_client -connect localhost:21 -starttls ftp For Apache, edit the file /var/cpanel/templates/apache2/main.localReplace the lines: [% IF supported.mod_ssl -%] # SSLCipherSuite can be set in WHM under 'Apache Global Configuration' [% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %] SSLProtocol -ALL +SSLv3 +TLSv1 With the following text: [% IF supported.mod_ssl -%] SSLProtocol -ALL -SSLv2 +SSLv3 +TLSv1 SSLHonorCipherOrder on SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5 Run the following command to make the change active, and restart Apache /scripts/rebuildhttpdconf && service httpd stop && service httpd start You can test it now with the following commands: openssl s_client -connect example.com:443 -ssl3 openssl s_client -connect example.com:443 -tls1 For cPanel, edit the file /var/cpanel/cpanel.configReplace the line: nativessl=1 With the following text: nativessl=0 For stunnel, edit the file /usr/local/cpanel/etc/stunnel/default/stunnel.conf Replace the line: # Authentication stuff With the following text: # Authentication stuff options = NO_SSLv2 ciphers = !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5 Run the following command to make the changes active, and restart cPanel service cpanel restart You can test it now with the following commands: openssl s_client -connect localhost:2083 -ssl3 openssl s_client -connect localhost:2083 -tls1 openssl s_client -connect localhost:2087 -ssl3 openssl s_client -connect localhost:2087 -tls1 For Exim (SMTP), edit the file /etc/exim.conf.localReplace the line: tls_require_ciphers = ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 With the following text: tls_require_ciphers = -ALL:!SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD55 Run the following command to make the changes active, and restart Exim /scripts/buildeximconf && service exim restart You can test it now with the following commands: openssl s_client -connect localhost:465 -tls1 openssl s_client -connect localhost:465 -ssl3 For Courier (IMAP), edit the file /usr/lib/courier-imap/etc/imapd-sslReplace the line: TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH With the following text: TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5 For Courier (POP3), edit the file /usr/lib/courier-imap/etc/pop3d-ssl Replace the line: TLS_CIPHER_LIST=ALL:!SSLv2:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH With the following text: TLS_CIPHER_LIST=-ALL:!SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5 Run the following command to make the changes active, and restart Courier service courier-authlib restart && service courier-imap stop && service courier-imap start You can test it now with the following commands: openssl s_client -connect localhost:993 -ssl3 openssl s_client -connect localhost:993 -tls1 openssl s_client -connect localhost:995 -ssl3 openssl s_client -connect localhost:995 -tls1 You should now know how to update all of your service’s ciphers to help protect against this possible vulnerability that could cause a PCI scan to fail. Share this Article InMotion Hosting Contributor Content Writer InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals! More Articles by InMotion Hosting Related Articles Migrate and Transfer SSLs Troubleshooting SSL Connection Errors: How to Fix HTTPS Issues What Is SSL and Why Does It Matter for Your Website? How to Tell If a Website Is Secure: 2026 Browser Guide How to Enable cPanel AutoSSL via Account Management Panel (AMP) and WHM How to Manage AutoSSL Certificates in cPanel Install Let’s Encrypt Free SSL Certificate on Ubuntu with Certbot Force HTTPS with the .htaccess File How to Fix the Insecure SSL Error due to SHA-1 Deprecation Installing SSLs and Generating CSRs in cPanel
