On this post we are going to show how to quickly patch a common PCI Vulnerability Alert that says something like this:
“The remote service appears to encrypt traffic using SSL protocol version 2″.

In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to something like:

  1. SSLProtocol -ALL +SSLv3 +TLSv1
  2. SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

This will make cPanel to use sTunnel.

edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

and add:

  1. options = NO_SSLv2

just below the “Authentication stuff” tab.

After you have done all this you will need to restart cPanel:

  1. /etc/init.d/cpanel restart

Done!

How to quickly check this?

SSH to your server and type the following commands

  1. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
  2. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
  3. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
  4. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086

If everything is fine you should receive something like this,

  1. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
  2. CONNECTED(00000003)
  3. write:errno=104

2 Responses to “Disable SSLv2 on cPanel and Apache Ports”

  1. nathanon 14 Aug 2009 at 8:39 pm

    I am not sure where I need to add options = NO_SSLv2

    It is working and finding certificate. Please help!

  2. Nickon 17 Aug 2009 at 2:30 pm

    Hello nathan,

    “options = NO_SSLv2″ needs to be placed under # Authentication stuff section.

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.