On this post we are going to show how to quickly patch a common PCI Vulnerability Alert that says something like this:
“The remote service appears to encrypt traffic using SSL protocol version 2?.
In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to something like:
1.
SSLProtocol -ALL +SSLv3 +TLSv1
2.
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.
To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:
edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0
This will make cPanel to use sTunnel.
edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf
and add:
1.
options = NO_SSLv2
just below the “Authentication stuff” tab.
After you have done all this you will need to restart cPanel:
1.
/etc/init.d/cpanel restart
Done!
How to quickly check this?
SSH to your server and type the following commands
1.
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
2.
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
3.
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
4.
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086
If everything is fine you should receive something like this,
1.
root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
2.
CONNECTED(00000003)
3.
write:errno=104