I need to disable TLS v1.0
Per Trustwave:
TLS v1.0 violates PCI DSS and is
considered an automatic failing condition
I have the following line in SSL Cipher Suite:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP:!kEDH
-
I'm got got flagged for the same issue. 0 -
Here is the error: TLSv1.0 Supported: "The server should be configured to disable the use of TLSv1.0 protocol in favor of protocols such as TLSv1.1 and TLSv1.2. For services that already support TLSv1.1 or TLSv1.2, simply disabling the use of the TLSv1.0 protocol on this service is sufficient to address this finding." Ports: 110, 143, 443, 465, 993, 995, 2078, 2083 and 2087. They add that technically, it can be disputed until June 30th, 2016 if there is a formal risk mitigation in place. So, it does appear that adjusting the cypher suite might not be enough, the protocol needs to be disabled. They do list the cypher suites that they flagged as TLSv1.0, so maybe, if those cypher suites are disabled, it will suffice. Oddly, as this is Trustwave, and Trustwave likes to think it sets the rules, they do not provide a CVE for this issue. 0 -
Hello, We have an open support ticket from a customer asking the same question, so I'll try to relay the information our analysts provided as best as possible. It's important to note that some services will not function for certain users if you remove support for TLSv1.0. Here's a quote from an analyst on disabling it: For the web services, this can be done through WHM: Home "Service Configuration "cPanel Web Services Configuration, under the "TLS/SSL Protocols" field by adding !TLSv1 to the list.
For Dovecot you can add !TLSv1 through WHM: Home "Service Configuration "Mailserver Configuration under the "SSL Protocols" field. I've tested this and it disabled TLSv1.0 for me, while leaving 1.1/1.2 enabled.
The following response from one of our analysts is also helpful: Hello, To my understanding, the reason TLS 1.0 is no longer considered secure by PCI is due to a policy regarding CVE scores. Use of RC4 recently had CVE scores increased to be at the same level as the BEAST vulnerability which affects all other TLS 1.0 ciphers. I do not know the exact policy of PCI regarding this, but this issue was brought to my attention upon finding the following discussion:0 -
It's important to note that some services will not function for certain users if you remove support for TLSv1.0.
Thanks for your input.0 -
One of my sites was just scanned by Trustwave. The report shows the following vulnerabilities: [LIST] - Port 21 - SSLv3 Supported
- Port 21 - TLSv1.0 Supported
- Port 443 - TLSv1.0 Supported
- Port 2083 - TLSv1.0 Supported
- Port 2087 - TLSv1.0 Supported Is there an updated list of ciphers for Apache, FTP, cPanel, etc. to mitigate these vulnerabilities?
0 -
One of my sites was just scanned by Trustwave
I've moved your post to this thread. Please review the previous posts to this thread for more information. Thank you.0 -
ok, so I added the: TLS/SSL Cipher List= ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH and to the TLS/SSL Protocols I have= SSLv23:!SSLv2:!SSLv3:!TLSv1 Trustwave came back with the following. Image Attached 0 -
using the following command, i am supposed to be able to see if the handshake occurs and the certificate is accepted. openssl s_client -connect google.com:443 -ssl2 ssl2 failed as expected ssl handshake failure:s2_pkt.c:429 openssl s_client -connect google.com:443 -ssl3 handshake accepted 0 -
Dealing with this as well on a handful of servers. Here's my configuration: RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM Problem is RC4-SHA is now a failing condition as well. I can't remove it, because it will essentially brick whatever service is trying to use SSL. Does anyone have a passing ssl cipher condition? 0 -
There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0. My previous cipher configuration was: RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!CAMELLIA128-SHA:!CAMELLIA256-SHA:!aNULL:!EDH:!AESGCM Removing RC4-SHA causes the server to throw an error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH What's the best way to go about removing RC4-SHA and not breaking ssl? 0 -
Also, if anyone bricks their cpanel/whm interface, the file you need to correct is: /var/cpanel/conf/cpsrvd/ssl_socket_args then run: /usr/local/cpanel/whostmgr/bin/whostmgr2 docpsrvdconfiguration 0 -
I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server. 0 -
Trustwave came back with the following. Image Attached
Do you know what port that was on? Normally, the report gives more information than that.0 -
There's another post about this but figured I'd start a specific one for this situation. Security metrics and other PCI ASV's are now considering RC4-SHA a failing cipher over TLS 1.0. What's the best way to go about removing RC4-SHA and not breaking ssl?
Your server supports TLSv1.1 and TLSv1.2? If so, make sure there are some ciphers left on your list that work.0 -
I passed PCI today, on 3 different domains, my solution in this case was an edited cipher list as well, i added port 465 to DROP any incoming connection, I also have Mailserver and FTP server disabled. mail for those domains runs off our other server.
Can you provide your cipher and protocol lists?0 -
Port 465 was for mail. Even through I turned off the service the ports are still open. Cipher List: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP Protocols List: SSLv23:!SSLv2:!SSLv3 0 -
Cipher List: ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-TLSv1:-EXP Protocols List: SSLv23:!SSLv2:!SSLv3
I'm still getting errors. Did you use these values for Apache, FTP, and cPanel Web Services? Those are the ones I'm trying to addresses with TrustWave.0 -
Cpanel Web Services, does you/your client NEED FTP service? if its just for a development stand point, it is easier to simple drop those ports and turn off that service within the sever. I did the same with email services, I use our other server for mail. I have the domain pointed there, and have email setup and then just point he A record to the website. 0 -
My customers use FTP, and I force a secure connection. I don't use our servers for mail though. 0 -
oh ok, well what exactly if the scann saying? Is there a port it is detecting an un secure connection on? Check if that port is open, and then either disable/drop it. given it is not your secure port. i used yougetsignal.com/tools/open-ports/ to check ports. 0 -
I disabled TLS1.0 and the Trustwave PCI scan passed. But now I'm running into a few other issues: 1. Most email clients cannot send email over SMTP port 465 because they do not renegotiate the connection to TLS1.1/1.2. This is happening with Outlook, Mac Mail, iOS, Android... Thunderbird is the only one that can send email. 2. If I login to webmail, I'm not able to use Horde (Roundcube and SquirrelMail work fine). It seems it is because of the same problem, Horde is unable to authenticate. 3. I use the cpanel XML-API to connect to the server over SSL to run some scripts. But now the script is not able to connect to the server with an SSL Connect error message, and the scripts don't execute. 0 -
I am as new to this as many, i assume you purchased an wildcard SSL for your vps?, this would be for the primary domain on the server. and with the most recent changes with TLS 1.0 not being allowed, i imaging there will be some conflicts, i need to see what the latest developments are for either a 1.3 that is to fix the issue with 1.0, or a server fix that will allow 1.0 to be utilized on server. sorry i cant be more help. 0 -
It's important to note that some services will not function for certain users if you remove support for TLSv1.0.
What services will not function for what users? This is very important to know and to understand, before making this change. Any additional information here would be MUCH appreciated. - Scott0 -
What services will not function for what users? This is very important to know and to understand, before making this change.
All services will remain running, but they won't be accessible by users running older software applications. The following quotes from an analyst explains this further: We had a prior ticket last week about Trustwave asking for TLSv1 to be disabled. When it is disabled, older operating systems and clients quit working. This is beyond the browsers. Services such as IMAP and POP (Doeveot) and SMTP (exim) cease working in Windows 7 under Outlook 2007 and 2010. Those same services can quit working on Max OS X Mountain Lion and earlier. Basically, if you go down this path, it is likely email services will break for many users. TLS v1.0 is actually required for STARTTLS on some systems. As such, please be aware that services will break and there is nothing cPanel can do to get those older operating systems and clients to work. It will be the responsibility of the operating system provider or application to fix those services or the clients to update.
I would highly discourage disabling TLSv1 and only using TLSv1.1 and TLSv1.2 for any services related to email. Web services will cause some browsers to be unable to work, but modern browsers do support TLSv1.1 and TLSv1.2. The same cannot be said for email clients and older operating systems.
Thank you.0 -
I'm still struggling to get my FTP server to pass the scan. I've tried several different cipher suites that are supposed to pass. Unfortunately, I don't think I can force Pure-FTPd to use TLSv1.1 or TLSv1.2. If TLS is enabled, then Pure-FTPd automatically accepts TLSv1.0 connections. Can anyone confirm? BTW, I'm testing with: openssl s_client -connect localhost:21 -starttls ftp -tls1 0 -
I'm still struggling to get my FTP server to pass the scan. I've tried several different cipher suites that are supposed to pass. Unfortunately, I don't think I can force Pure-FTPd to use TLSv1.1 or TLSv1.2. If TLS is enabled, then Pure-FTPd automatically accepts TLSv1.0 connections. Can anyone confirm?
I've seen one report where changing the "TLS Cipher Suite" in "WHM Home " Service Configuration " FTP Server Configuration" to "!SSLv3" only allows TLSv1.2. Thank you.0 -
This one should work: EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 Make sure you are using -SSLv2 -SSLv3 for protocols 0 -
This one should work: EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 Make sure you are using -SSLv2 -SSLv3 for protocols
Disregard. This breaks email. Still trying to figure one out that doesn't break FTP, email, or web access. Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.0 -
Disregard. This breaks email. Still trying to figure one out that doesn't break FTP, email, or web access. Still an issue with RC4. Can't connect even over TLS from my email clients. If I remove !RC4, I can connect to POP and SMTP again. Really have no idea how to get around this at this point.
It does appear that removing TLSv1 from dovecot breaks Outlook. It appears to work on newer devices and operating systems, but Outlook 2007 will not work. I'm still testing other versions. Technically we have until June 2016 to remove TLSv1, so we have time. Edit. I'm seeing a lot of issues, but one that really throws a wrench into this is that the cPanel ports still accept TLSv1, so even if I were to magically fix mail and ftp, I'd still fail for cPanel ports. For Apache: SSL/TLS Protocols: all -SSLv3 -TLSv1SSL Cipher Suite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
Seems to work. However, the server has to support a protocol higher than TLSv1.0
Please sign in to leave a comment.
Comments
119 comments