Jun 302009
 

On this post we are going to show how to quickly patch a common PCI Vulnerability Alert that says something like this:
“The remote service appears to encrypt traffic using SSL protocol version 2?.

In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to something like:

1.
SSLProtocol -ALL +SSLv3 +TLSv1
2.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

This will make cPanel to use sTunnel.

edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

and add:

1.
options = NO_SSLv2

just below the “Authentication stuff” tab.

After you have done all this you will need to restart cPanel:

1.
/etc/init.d/cpanel restart

Done!

How to quickly check this?

SSH to your server and type the following commands

1.
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2096
2.
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2083
3.
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2087
4.
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2086

If everything is fine you should receive something like this,

1.
[email protected] [~]# openssl s_client -ssl2 -connect localhost:2096
2.
CONNECTED(00000003)
3.
write:errno=104

 Posted by at 10:19 am

 Leave a Reply