So we are trying to cleanup the last few items that Hackersafe is flagging as PCI compliance issues on our RHEL 4 server. One of the remaining issues is weak ciphers on the WHM/Cpanel ports. I thought I had this fixed several months ago, but either somehow it got reverted back, or I mistakenly thought it was fixed.
Hackersafe & Foundstone's "SSLDigger" both report SSLv3/TLSv1, but finds low and medium strength ciphers still enabled.
I seem to only find two references to this issue:
One is this serverbuddies blog: http://blog.serverbuddies.com/ where it has you do this to disable SSL version 2 for WHM/Cpanel. That seemd to resolve the SSL/TLS version, but the weak ciphers remain.
The other is a release note: (http://www.cpanel.net/products/cpwhm/releases/releasenotes/11.24/cPanel-11.24.html ) for the 11.24 WHM version, which we are on, which seems to state that by default the weak ciphers are already disabled- here is what it says:
"To assist you in reaching PCI Compliance, a number of changes were made. By default, the following services have support for weak ciphers disabled: IMAP, POP3, SMTP, cPanel/WHM/Webmail, Webdisk, FTP Support for weak ciphers can be re-enabled by using the service specific Configuration interface in WHM. There is no interface for re-enabling weak cipher support for cPanel, WHM, Webmail or Webdisk. "
So I am a bit confused as to what is going on here. Why would the weak ciphers still be enabled for WHM/Cpanel 11.24? This doesent seem to be a common problem.
Thanks for any help or insight.
Kelly
Full Version: WHM/Cpanel & PCI compliance
QUOTE (Kelly K @ Mar 5 2009, 01:44 PM) 
So we are trying to cleanup the last few items that Hackersafe is flagging as PCI compliance issues on our RHEL 4 server. One of the remaining issues is weak ciphers on the WHM/Cpanel ports. I thought I had this fixed several months ago, but either somehow it got reverted back, or I mistakenly thought it was fixed.
Hackersafe & Foundstone's "SSLDigger" both report SSLv3/TLSv1, but finds low and medium strength ciphers still enabled.
I seem to only find two references to this issue:
One is this serverbuddies blog: http://blog.serverbuddies.com/ where it has you do this to disable SSL version 2 for WHM/Cpanel. That seemd to resolve the SSL/TLS version, but the weak ciphers remain.
The other is a release note: (http://www.cpanel.net/products/cpwhm/releases/releasenotes/11.24/cPanel-11.24.html ) for the 11.24 WHM version, which we are on, which seems to state that by default the weak ciphers are already disabled- here is what it says:
"To assist you in reaching PCI Compliance, a number of changes were made. By default, the following services have support for weak ciphers disabled: IMAP, POP3, SMTP, cPanel/WHM/Webmail, Webdisk, FTP Support for weak ciphers can be re-enabled by using the service specific Configuration interface in WHM. There is no interface for re-enabling weak cipher support for cPanel, WHM, Webmail or Webdisk. "
So I am a bit confused as to what is going on here. Why would the weak ciphers still be enabled for WHM/Cpanel 11.24? This doesent seem to be a common problem.
Thanks for any help or insight.
Kelly
Hackersafe & Foundstone's "SSLDigger" both report SSLv3/TLSv1, but finds low and medium strength ciphers still enabled.
I seem to only find two references to this issue:
One is this serverbuddies blog: http://blog.serverbuddies.com/ where it has you do this to disable SSL version 2 for WHM/Cpanel. That seemd to resolve the SSL/TLS version, but the weak ciphers remain.
The other is a release note: (http://www.cpanel.net/products/cpwhm/releases/releasenotes/11.24/cPanel-11.24.html ) for the 11.24 WHM version, which we are on, which seems to state that by default the weak ciphers are already disabled- here is what it says:
"To assist you in reaching PCI Compliance, a number of changes were made. By default, the following services have support for weak ciphers disabled: IMAP, POP3, SMTP, cPanel/WHM/Webmail, Webdisk, FTP Support for weak ciphers can be re-enabled by using the service specific Configuration interface in WHM. There is no interface for re-enabling weak cipher support for cPanel, WHM, Webmail or Webdisk. "
So I am a bit confused as to what is going on here. Why would the weak ciphers still be enabled for WHM/Cpanel 11.24? This doesent seem to be a common problem.
Thanks for any help or insight.
Kelly
We were finally able to solve this by turning off stunnel and re-enabling native ssl for CPanel.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.