PCI scans will often fail for weak SSL ciphers and older protocols. In order to disable older SSL protocols and weaker ciphers for cPanel it's necessary to change the way Cpanel handles its https encryption.
Apache
In order to become fully compliant, SSLv2 and weak ciphers (any cipher less the 128-bits in length) need to be disabled.
Open the main Cpanel apache httpd.conf file located at /usr/local/apache/conf/httpd.conf and add the following under all the 'LoadModule' and 'Include' directives.
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
In later versions of Apache you need to distill the changes using the Apache distiller tool or the changes will be lost when the configuration is rebuilt via EasyApache. To do this, use the command:
/usr/local/cpanel/bin/apache_conf_distiller --update --main
Once that completes regenerate the httpd.conf file to confirm that your changes have been preserved.
/scripts/rebuildhttpdconf
Cpanel / WHM
CPanel uses OpenSSL to handle its SSL connections but there's no option in its configuration to manipulate what it should and shouldn't do.
sTunnel which is a SSL wrapper service that handles the SSL functions for any program that uses TCP connections. When a connection is made to a port sTunnel is listening on sTunnel then relays the connection and data to the configured destination unencrypted port where it then handles inserting all its SSL and encryption keys. This way any application which uses TCP ports can be instantly and easily SSL enabled.
- Open up /var/cpanel/cpanel.config.
- Look for nativessl=1 and change it to nativessl=0. This will cause cPanel to use sTunnel instead.
-
Update the sTunnel configuration at /usr/local/cpanel/etc/stunnel/default/stunnel.conf
- Add the following just below the Authentication directive: options = NO_SSLv2
- On the next line after the Options directive add: ciphers = !LOW:MEDIUM:HIGH
sTunnel will instruct cPanel to not use ciphers designated as low level encryption (<= 64-bits), but to use only medium (mostly 128-bits) and high (mostly >= 256-bits) encryption algorithms.
After you have done all this you will need to restart cPanel:
/etc/init.d/cpanel restart
Testing your work
SSH to a Linux server and use the following commands.
SSLv2 is disabled on Apache
curl -Iv2 https://1.2.3.4
This instructs curl to:
- make a SSL connection (https://),
- download only the headers (-I),
- do it in verbose mode so we can see what the problems were if there was any (-v),
- only download it with the SSLv2 protocol (-2).
The last line should be an error. It means it couldn't make a connection.
Weak ciphers are disabled in Apache
curl -Iv --ciphers 'LOW' https://1.2.3.4
This instructs curl to:
- make a SSL connection (https://),
- download only the headers (-I),
- do it in verbose mode so we can see what the problems were if there was any (-v),
- only download with the highest available SSL protocol, but to use a weak cipher (--ciphers 'LOW').
The last line should be an error. It means it couldn't make a connection.
SSLv2 and weak ciphers on cPanel/WHM https ports
Just follow the same steps above using the WHM port to the URL (ie: https://1.2.3.4:2078).
