Archive for the tag 'PCI Compliance Vulnerability'

On this post we are going to show how to quickly patch a common PCI Vulnerability Alert that says something like this:
“The remote service appears to encrypt traffic using SSL protocol version 2″.

In Apache common ports 80 and 443, you need to modify the SSLCipherSuite directive in the httpd.conf or ssl.conf file.
An example would be editing the following lines to something like:

  1. SSLProtocol -ALL +SSLv3 +TLSv1

After you have done this, if you see you are still getting PCI Compliance vulnerability emails regarding to this issue its probably that cPanel is still allowing SSLv2 on their ports.

To quickly disable SSL version 2 on cPanel ports: 2082, 2083, 2086, 2087, 2095, 2096. You will need to do the following:

edit /var/cpanel/cpanel.config and change nativessl=1 to nativessl=0

This will make cPanel to use sTunnel.

edit /usr/local/cpanel/etc/stunnel/default/stunnel.conf

and add:

  1. options = NO_SSLv2

just below the “Authentication stuff” tab.

After you have done all this you will need to restart cPanel:

  1. /etc/init.d/cpanel restart


How to quickly check this?

SSH to your server and type the following commands

  1. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
  2. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2083
  3. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2087
  4. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2086

If everything is fine you should receive something like this,

  1. root@cPanel [~]# openssl s_client -ssl2 -connect localhost:2096
  2. CONNECTED(00000003)
  3. write:errno=104