Trying to prevent TLS 1.0 and 1.1 support for PCI

General support questions
wex65
Posts: 10
Joined: 2020/12/23 20:57:43

Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by wex65 » 2021/05/06 21:58:12

I have a Linode hosted CentoS 7 server which is giving me PCI failures as it supports TLS v1.0/1.1.

I have done some research and found a need to insert into the httpd.conf file the following line

SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1

However, I suspect my httpd.conf instead hands of SSL protocol to a separate file as it includes the lines

# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf

I remove the # to include the httpd-ssl.onf file and inserted the "SSLProtocol all -SSLv3 -SSLv2 -TLSv1 -TLSv1.1" into that file.

I restarted Apache and all seemed fine but...I ran the command 'openssl ciphers -v | awk '{print $2}' | sort | uniq' which shows the following:

SSLv3
TLSv1
TLSv1.2
TLSv1.3

So it seems my line is not being observed OR there is another place I need to insert it also?

Is there a way to find why the SSLProtocol line is not being respected?

Many thanks for any input or guidance

Paul

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by TrevorH » 2021/05/07 02:31:43

I'm not sure you are running a CentOS supplied version of httpd. Ours doesn't have an httpd-ssl.conf nor a conf/extra directory to include it from.

What is the output from rpm -q httpd ? And uname -a ? And grep -ir exclud /etc/yum.* ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wex65
Posts: 10
Joined: 2020/12/23 20:57:43

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by wex65 » 2021/05/07 10:49:26

TrevorH wrote:
2021/05/07 02:31:43
I'm not sure you are running a CentOS supplied version of httpd. Ours doesn't have an httpd-ssl.conf nor a conf/extra directory to include it from.

What is the output from rpm -q httpd ? And uname -a ? And grep -ir exclud /etc/yum.* ?
hmmm...the plot thickens...

[root@linode ~]# rpm -q httpd
package httpd is not installed

[root@linode ~]# uname -a
Linux linode.xxxxx.com 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

[root@linode ~]# grep -ir exclud /etc/yum.*
[root@linode ~]#

The xxxxx.com really shows my domain, I redacted it in case thee is any security issue.

Thanks for the feedback, hopefully the above provides some insight?

Paul

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by TrevorH » 2021/05/07 11:14:35

How about rpm -qf $(which httpd) ?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wex65
Posts: 10
Joined: 2020/12/23 20:57:43

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by wex65 » 2021/05/07 12:09:55

TrevorH wrote:
2021/05/07 11:14:35
How about rpm -qf $(which httpd) ?
Here you go...

[root@linode ~]# rpm -qf $(which httpd)
/usr/bin/which: no httpd in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
rpm: no arguments given for query

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by tunk » 2021/05/07 12:15:01

Don't know if it will make any difference, but you could
run yum update - kernel 3.10.0-1160.11.1 isn't the newest
and this suggests that your system isn't up to date.

wex65
Posts: 10
Joined: 2020/12/23 20:57:43

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by wex65 » 2021/05/07 12:21:44

tunk wrote:
2021/05/07 12:15:01
Don't know if it will make any difference, but you could
run yum update - kernel 3.10.0-1160.11.1 isn't the newest
and this suggests that your system isn't up to date.
Thanks, I just did that. It ran @204 updates and all OK now.

[root@linode ~]# uname -a
Linux linode.coghlancapital.com 3.10.0-1160.11.1.el7.x86_64 #1 SMP Fri Dec 18 16:34:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Yum update shows no updates needed now but still showing the 3.10.0

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by TrevorH » 2021/05/07 12:30:48

Try removing the changes you made so that it starts up again then look in the output from `ps fax` to see where it's running httpd from. It's apparent that this is not the CentOS version though so now it's more a matter of finding out where it came from so you can work out how to run the correct version. Or at least work out why you're not running the right version.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

wex65
Posts: 10
Joined: 2020/12/23 20:57:43

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by wex65 » 2021/05/07 13:03:49

TrevorH wrote:
2021/05/07 12:30:48
Try removing the changes you made so that it starts up again then look in the output from `ps fax` to see where it's running httpd from. It's apparent that this is not the CentOS version though so now it's more a matter of finding out where it came from so you can work out how to run the correct version. Or at least work out why you're not running the right version.
Sorry for the length of this, if I need to remove some of it let me know.

Paul

[root@linode ~]# ps fax
PID TTY STAT TIME COMMAND
...
823 ? Ss 0:04 php-fpm: master process (/usr/local/cwp/php71/etc/cwpsrv.conf)
8186 ? S 4:46 \_ php-fpm: pool cwpsrv
8285 ? S 4:49 \_ php-fpm: pool cwpsrv
8605 ? S 4:50 \_ php-fpm: pool cwpsrv
10721 ? S 4:43 \_ php-fpm: pool cwpsrv
12374 ? S 4:40 \_ php-fpm: pool cwpsrv
12658 ? S 4:40 \_ php-fpm: pool cwpsrv
12659 ? S 4:40 \_ php-fpm: pool cwpsrv
15729 ? S 4:36 \_ php-fpm: pool cwpsrv
10287 ? S 3:07 \_ php-fpm: pool cwpsrv
31068 ? S 0:34 \_ php-fpm: pool cwpsrv
824 ? Ss 0:01 php-fpm: master process (/opt/alt/php-fpm74/usr/etc/php-fpm.conf)
860 ? Ss 0:00 pure-ftpd (SERVER)
922 ? Ss 0:00 /usr/sbin/dovecot
935 ? S 0:00 \_ dovecot/anvil
936 ? S 0:00 \_ dovecot/log
942 ? S 0:00 \_ dovecot/config
10945 ? S 0:00 \_ dovecot/auth
11220 ? S 0:00 \_ dovecot/ssl-params
11785 ? S 0:00 \_ dovecot/auth -w
11898 ? S 0:00 \_ dovecot/pop3-login
...
23917 ? Ss 0:00 php-fpm: master process (/usr/local/cwp/php71/etc/php-fpm.conf)
24077 ? Ss 0:00 cwpsrv: master process /usr/local/cwpsrv/bin/cwpsrv
24078 ? S 0:07 \_ cwpsrv: worker process
24079 ? S 0:07 \_ cwpsrv: worker process
24162 ? Ss 0:00 /usr/local/apache/bin/httpd -k start
24423 ? Sl 0:08 \_ /usr/local/apache/bin/httpd -k start
24424 ? Sl 0:10 \_ /usr/local/apache/bin/httpd -k start
24425 ? Sl 0:13 \_ /usr/local/apache/bin/httpd -k start
24512 ? Sl 0:21 \_ /usr/local/apache/bin/httpd -k start

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Trying to prevent TLS 1.0 and 1.1 support for PCI

Post by TrevorH » 2021/05/07 14:36:53

24162 ? Ss 0:00 /usr/local/apache/bin/httpd -k start
So that's where your httpd runs from and since nothing we ship uses /usr/local at all, that's definitely not ours.
8186 ? S 4:46 \_ php-fpm: pool cwpsrv
CWP. See the sticky post about CWP and how we do not support it. You might also want to google "CWP CVE" and read the list of recent security problems on cvedetails.com. There is a whole batch there marked as severity 10.0 which is the highest score you can get for how bad things can be.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply