PCI compliance / weak cipher suites

[Alwaysonline]

I am performing PCI compliance upgrades for a client with DirectAdmin,
and the PCI vendor's report complains that DirectAdmin (they specifically say port 2222) is using weak/medium cipher suites.

I have already added 'ssl_cipher=SSLv3' to directadmin.conf as per http://www.directadmin.com/features.php?id=957, and the directadmin service has been restarted (that was yesterday).

This is on CentOS 4.8 (ancient, but not a lot I can immediately do about that), with DirectAdmin 1.37.0

The following is some info from the report:

Here is the list of weak SSL ciphers supported by the remote server :

Null Ciphers (no encryption)
SSLv3
NULL-MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1
TLSv1
NULL-MD5 Kx=RSA Au=RSA Enc=None Mac=MD5
NULL-SHA Kx=RSA Au=RSA Enc=None Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

Here are the medium strength SSL ciphers supported by the remote server :

Medium Strength Ciphers (>= 56-bit and < 112-bit key)
SSLv3
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
TLSv1
EXP1024-DES-CBC-SHA Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export
EXP1024-RC2-CBC-MD5 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export
EXP1024-RC4-MD5 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export
EXP1024-RC4-SHA Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export
DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1

The fields above are :

{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}

I can add :!MEDIUM:!LOW in addition to SSLv3, but won't know if that does the trick until the scan completes another round in, say, 4 hours.

My questions:
What does the DA knowledgebase consider "PCI compliance",
and
Does the ssl_cipher option in directadmin.conf cover Apache, DA, or both?

Regards,
Bryan

 

[mr.applesauce]

directadmin.conf has nothing to do with apache

 

[Alwaysonline]

directadmin.conf has nothing to do with apache

I figured this was the case but wasn't entirely sure.

Thanks.

 

[TheAncient]

SSL NULL Encryption Supported Configure your SSL server to only use higher-grade encryption.
This SSL service supports connections using NULL encryption. NULL encryption
leaves the communication channel in plain text and susceptible to eavesdropping
attacks.
5.8
CVSSv2: AV:N/AC:M/Au:N/C/I/A:N (5.8)
Reference: http://www.schneier.com/paper-ssl.pdf
Service: http
Evidence:
Cipher: NULL-MD5
Cipher: NULL-SHA
Cipher: NULL-MD5
Cipher: NULL-SHA


I am testing with,
openssl s_client -connect localhost:2222 -cipher NULL


I haven not been able to find any "ssl_cipher=" for directadmin.conf that will remove NULL-SHA and NULL-MD5. I dont think there is a method.

They even say to use "HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL" in their own PCI report, but that didnt remove the null-sha and null-md5 cipher, the test still connects.


Have you found an ssl_cipher for directadmin that will satisfy PCI compliance?

Im just going to have to firewall off port 2222

 

[flamewalker]

I put this:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

in /etc/httpd/conf/extra/httpd-ssl.conf, and it seemed to pass after that for me.

 

[DenRomano]

I have the same problem but when I entered the line you quoted into the same file it still did not pass. I restarted apache but nothing.

Does anyone have any other places it may need to go?

 

[Arieh]

See this thread

You need to edit the existing SSLCipherSuite in /etc/httpd/conf/extra/httpd-ssl.conf in the <VirtualHost _default_:443>

But also at the very bottom of the file, under </VirtualHost>

 

[DenRomano]

Thanks for the info but that did not solve the problem. I think in my case the port that is the problem is 2222 and that is maybe why the changes did not effect it

 

[nobaloney]

DirectAdmin doesn't run apache; it has it's own webserver. Have you searched the Knowledgebase?

Jeff

 

[propcgamer]

DenRomano, after making the change to directadmin.conf, did you restart directadmin?

 

[DenRomano]

yes, I restarted both direct admin and http

So Are you saying that these changes should have effected the port 2222?

here is what trustwave told me to do to check if my changes worked. BOth of the openssl commands below should reply the same and they do not

openssl s_client -connect www.lights-hardware.com:2222 -cipher COMPLEMENTOFALL:ALL+aNULL

openssl s_client -connect www.lights-hardware.com:443 -cipher COMPLEMENTOFALL:ALL+aNULL


The port 443 replies as they say they need it to (as below)

CONNECTED(00000003)
25206:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:

 

[DenRomano]

also I use

/etc/init.d/directadmin restart


To restart directadmin

 

[LawsHosting]

Actually, both ports fail for me too, even though its setup as instructed ( http://www.directadmin.com/features.php?id=957 )

 

[DenRomano]

I got it to work by following this post

http://www.directadmin.com/features.php?id=957

and doing what it said on the last line