Help -- PCI Compliance SSLv2 and vhosts

J

jw00dy

Verified User
Joined
Dec 6, 2004
Messages
368
Location
Utah, USA
I have disabled SSLv2 for the main server IP by following this thread: http://www.directadmin.com/forum/showthread.php?t=22787

I however cannot get any of the virtual hosts to show sslv2 disabled.

I have edited and added the following to these files:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!EXP:-MEDIUM:+HIGH
Click to expand...

/usr/local/directadmin/data/templates/custom/ips_virtual_host.conf

/etc/httpd/conf/httpd.conf
/etc/httpd/conf/ips.conf

/etc/httpd/conf/extra/httpd-ssl.conf
/etc/httpd/conf/extra/httpd-vhosts.conf

Restarted apache (1.3.x) with no success in disabling SSLv2 :(

Can anyone help me get this sorted?

Anyone running Apache 1.3 and passing PCI compliance? If so what did you change and in what files.

Please let me know if you need more information and I'll provide it.

I'm getting desperate to get this solved.
 
Hey,

Not 1.3 but a 2.0 that has passed PCI compliance...

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Click to expand...

David
 
jw00dy said:
Direct Admin support of course.
Click to expand...

Ok let me just point out that DirectAdmin support is by email. They do not have a ticket system. That is why I asked the question. Since you cannot fill out a ticket with DirectAdmin support I wanted to know who you were going to submit a ticket to.

This is not in the thread you referred to:
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!EXP:-MEDIUM:+HIGH
Click to expand...

I don't know where you got the above from.

The thread says this worked:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Click to expand...

Have you tried that?
 
Thank you both for you help.

floyd I am pretty sure I did try exactly what was in that thread without luck. Just for kicks I just tried it again.

The main server fails with SSLv2:

openssl s_client -port 443 -host 96.31.75.130 -ssl2

CONNECTED(00000003)
write:errno=104
Click to expand...

However the vhosts work just fine returning the certificate and even says SSLv2 :(

So the SSLCipher is not the issue -- I may have thought it was in my original post, but based on testing, I don't believe it is -- Honestly, I was so flustered I'm not sure I was thinking very clearly.

Though it would be very handy to have a recommended Cipher Suite -- though I do like skrufs.

So, the problem is I can't get SSLv2 disabled on the vhosts, but I can and it is on the main IP. I need it disabled for everyone. Is that more clear?

As far as the ticket, I know it's just an email, but it serves the same purpose.

Again, thank you both for your help -- I really do appreciate it.
 
Hello,

I've tested a few location of the configs to add this to keep it simple, but yet still work for *all* IPs and connections. It appears as though this setting, when added to the <VirtualHost _default_:443>, it does not propagate to all other 443 VHs. The simple solution I found was to do nothing more than add this one line at the bottom of the httpd-ssl.conf, outside of <VirtualHost _default_:443>.

Run this code, then restart apache:
Code: 
echo "SSLProtocol -ALL +SSLv3 +TLSv1" >> /etc/httpd/conf/extra/httpd-ssl.conf
Everything else remains untouched and completely default.

John
 
Thank you John.

I removed /usr/local/directadmin/data/templates/custom/ips_virtual_host.conf so it wouldn't rewrite the ips.conf

Then from custombuild I ran ./build rewrite_confs which rewrote all confs to default.

I then ran your command:
Code: 
echo "SSLProtocol -ALL +SSLv3 +TLSv1" >> /etc/httpd/conf/extra/httpd-ssl.conf
and restarted apache.

Then I tested the main server IP to see what the results would be:
Code: 
# openssl s_client -port 443 -host "96.31.75.130" -ssl2
CONNECTED(00000003)
depth=0 /C=US/ST=Utah/L=Tooele/O=JDub Consulting, Inc./OU=Online Services/CN=srv01.jdubconsulting.com/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Utah/L=Tooele/O=JDub Consulting, Inc./OU=Online Services/CN=srv01.jdubconsulting.com/[email protected]
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCTCCA/GgAwIBAgIJAKc7lvUTy7ZOMA0GCSqGSIb3DQEBBQUAMIGzMQswCQYD
VQQGEwJVUzENMAsGA1U... (shortened on purpose)
-----END CERTIFICATE-----
subject=/C=US/ST=Utah/L=Tooele/O=JDub Consulting, Inc./OU=Online Services/CN=srv01.jdubconsulting.com/[email protected]
issuer=/C=US/ST=Utah/L=Tooele/O=JDub Consulting, Inc./OU=Online Services/CN=srv01.jdubconsulting.com/[email protected]
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5    
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5
---
SSL handshake has read 1426 bytes and written 364 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv2
    Cipher    : DES-CBC3-MD5
    Session-ID: 2785C0519F231E50D6BB2043F31334D7
    Session-ID-ctx: 
    Master-Key: 07FED7C7D25E16EA6CB786E423E13105E28E7A06AB04F938
    Key-Arg   : 51258A7169EA72EA
    Krb5 Principal: None
    Start Time: 1273083847
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

close
I get similar results with the other IPs. Did I do something wrong because it didn't seem to work.
 
John or anyone? My above post shows what I did and this did not fix the problem.

Any other suggestions?
 
I checked your IP, and you're using apache 1.3 with customapache: The paths are different.
Try adding that line to /etc/httpd/conf/httpd.conf at the bottom.

Note, that I'm not sure if apache 1.3 supports the SSLProtocol option or not.

John
 
Correct, and that did the trick. Thank YOU!

I added it to the end of the httpd.conf file right after </VirtualHost> and before the DA Include files section.
 
Glad you got it fixed. But the solution was also the thread you referred to in your first post.

For Apache we have found that the following additions to the httpd.conf file are the way to go. Under the <VirtualHost "IP of Host Server":443> we have added the following directives (this is not the <VirtualHost _default_:443> section - look further down in your httpd.conf):

SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
Click to expand...
 
Thanks floyd, but that's not very clear and from what it says it's in the <VirtualHost xxx.xxx.xxx.xxx:443> section and what I added is NOT in that section. I tried that and it did not work.

Again, thanks all of you for your help.
 
jw00dy said:
from what it says it's in the <VirtualHost xxx.xxx.xxx.xxx:443> section and what I added is NOT in that section. I tried that and it did not work.
Click to expand...

It most certainly does NOT say that it is in the <VirtualHost xxx.xxx.xxx.xxx:443>. In fact it very specifically said that it was not and that it was below that section.

What you ended up doing is exactly what was said to do.

I am trying to help you and others to see that you have to really pay attention to what is said and follow the instructions exactly.
 
Sorry. I was just trying to show you where you made your mistake so you would not repeat it. I have had to do the exact same thing before to pass PCI Compliance. I know exactly what has to be done. I have done it. I have a working example. I pass PCI Compliance every quarter. I tried to help you.
 
Thank you for your help again. That section just wasn't clear enough for me to "get it" as you can see.

It's all good. Again, thanks for your help.
 
You must log in or register to reply here.
Back
Top