Skip to main content

PCI Compliance - TLS 1.0 Protocol Detection

Comments

6 comments

  • 24x7server
    Hello :), You can try to to adjust the cipher protocols for the different services with the following URL. How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation
    0
  • PromptDev
    Thanks! I had followed that guide but still Im getting the same and it doesn't have any ciphers specification. Which ciphers should I be using? What I'm trying to is to pass the check for TLS 1.0 Protocol Detection, is currently passing for port 443 but is failing in a large number of ports. I thank you very much in advance for pointing me in the right direction. What I have is the following:
    - cPanel & WHM (cpsrvd) TLS/SSL Cipher List ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA TLS/SSL Protocols SSLv23:!SSLv2:!SSLv3 - Web Disk (cpdavd) TLS/SSL Cipher List ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA TLS/SSL Protocols SSLv23:!SSLv2:!SSLv3 - Courier IMAP TLS/SSL Protocol Permit SSL v2 or v3 connections and TLSv1.x connections IMAP TLS/SSL Cipher List ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP POP3 TLS/SSL Protocol Permit SSL v2 or v3 connections and TLSv1.x connections POP3 TLS/SSL Cipher List ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP - Apache SSL Cipher Suite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSL/TLS Protocols All -SSLv2 -SSLv3 - Exim tls_require_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA openssl_options +no_sslv2 +no_sslv3 +no_tlsv1
    0
  • cPanelMichael
    Hello :) Could you provide an example of the ports it's failing on? Thank you.
    0
  • PromptDev
    The ports where TLS 1.0 Protocol Detection is failing are the following, as a concrete example I don't have any. Its just that the Security Metrics PCI check its failing due to this. I thank you in advance for the help.
    9010 9008 9005 9002 9001 9000 8891 8890 8889 8888 8802 8791 8790 8789 8788 8732 8731 8595 8586 8585 8463 8448 8447 8446 8445 8444 8443 8442 8441 8440 8243 8200 8140 8113 8100 8091 8090 8088 8087 8086 8085 8084 8083 8082 8081 8080 8031 8003 8002 8001 8000 7799 7777 7070 7004 7002 7001 7000 6590 6581 6580 6561 6560 6512 6511 6510 6100 6002 6000 5701 5671 5443 5223 5222 5060 5006 5001 5000 4500 4482 4443 4431 4430 4343 4243 4001 4000 3443 3333 3030 3002 2598 2222 2200 2100 2083 2082 2020 2000 1935 1494 1207 1111 1000 998 843 772 636 556 491 449 446 444 442 441 440 389 91 85 83 82 81 25 63443 62443 60443 59443 58443 50000 49443 49210 49200 47000 46443 46000 40099 28818 25010 25009 25008 25007 25006 25005 25004 25003 25002 25001 25000 22705 22703 20325 20000 18443 16000 10020 10000 9800 9779 9600 9311 9310 9309 9308 9307 9306 9305 9303 9302 9301 9300 9251 9221 9220 9219 9218 9217 9216 9215 9214 9213 9212 9211 9210 9209 9208 9207 9206 9205 9204 9203 9202 9201 9200 9111 9110 9109 9108 9090 9043 9040 9020 9014
    0
  • PromptDev
    Just found out that that list of ports are actually being reported as open because of the use of a CDN. I'm now in touch with both the CDN provider and Security Metrics to sort this out. I'll post the outcome as soon as I have some more news. Still I'd like to ask for your help on how to disable TLS v1.0 So far I changed the SSL Cipher Suite in the Apache Global Config to: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH And also tried to use this as SSL/TLS Protocols in the Apache Global Config: SSLv23:!SSLv2:!SSLv3:!TLSv1 but it didn't work, it returned: Configuration problem detected on line 220 of file /usr/local/apache/conf/httpd.conf.work.6sDKYtkRenR_AbrX: SSLProtocol: Illegal protocol 'SSLv23:!SSLv2:!SSLv3:!TLSv1' Many thanks in advance.
    0
  • cPanelMichael
    You may find this thread helpful: I need to disable TLS v1.0 Thank you.
    0

Please sign in to leave a comment.