TLS Version 1.1 Protocol Deprecated in CISA scans.

[MacHelpNashville]

I'm running cent os 7.9 with whm and using litespeed server.

where do I change this setting to disable older tls?

all online documentation is not helping me find the real setting.

• Home /
• Service Configuration /
• Apache Configuration /
• Global Configuration
• all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2

 

[MacHelpNashville]

[email protected] [~]# rpm -qa | grep openssl-


cpanel-perl-536-crypt-openssl-bignum-0.09-1.cp108~el7.x86_64


cpanel-perl-536-crypt-openssl-dsa-0.20-1.cp108~el7.x86_64


openssl-libs-1.0.2k-26.el7_9.x86_64


cpanel-perl-536-crypt-openssl-x509-1.914-1.cp108~el7.x86_64


ea-ruby27-rubygem-openssl-27.2.7.8.2.1.4-1.15.4.cpanel.x86_64


cpanel-perl-536-crypt-openssl-ec-1.32-1.cp108~el7.x86_64


openssl-devel-1.0.2k-26.el7_9.x86_64


cpanel-perl-536-crypt-openssl-random-0.15-1.cp108~el7.x86_64


openssl-1.0.2k-26.el7_9.x86_64


alt-openssl-libs-1.0.2k-2.el7.cloudlinux.10.x86_64


cpanel-perl-536-crypt-openssl-rsa-0.33-1.cp108~el7.x86_64


[email protected] [~]# cat /etc/redhat-release


CentOS Linux release 7.9.2009 (Core)


[email protected] [~]#

 

[cPanelWilliam]

Hello,

According to Litespeed's documentation, you should be able to adjust these settings via WHM > Apache Configuration > Global Configuration:

https://docs.litespeedtech.com/lsws/cp/cpanel/tunings/#ssltls-tuning

You would need to rebuild the Apache configuration and restart Litespeed for these changes to take effect, which can also be done from the Apache Configuration interface (Litespeed uses the same configuration file as Apache on cPanel servers). If you've already done all of this and the changes still aren't taking effect, I'd recommend opening a ticket so our team can look closer. If these changes are being made for a PCI scan, attaching the PCI scan to the ticket would also help us better assist you.

 

[MacHelpNashville]

Hello,

According to Litespeed's documentation, you should be able to adjust these settings via WHM > Apache Configuration > Global Configuration:

https://docs.litespeedtech.com/lsws/cp/cpanel/tunings/#ssltls-tuning

You would need to rebuild the Apache configuration and restart Litespeed for these changes to take effect, which can also be done from the Apache Configuration interface (Litespeed uses the same configuration file as Apache on cPanel servers). If you've already done all of this and the changes still aren't taking effect, I'd recommend opening a ticket so our team can look closer. If these changes are being made for a PCI scan, attaching the PCI scan to the ticket would also help us better assist you.

That is the exact thing I've been doing with no change; it always reverts back to default....

 

[cPRex]

Interesting - so even after you adjust the values in WHM, they are getting reset to the defaults? If so, can you let me know *exactly* what change you're making and where so I can test this?

 

[MacHelpNashville]

Here is a screenshot.

the article from Litespeed says:
When you set SSL/TLS Protocols to ALL -SSLv3 -TLSv1 -TLSv1.1 you are really saying, "use all available protocols, except SSLv3, TLSv1, and TLSv1.1."

when I do that, and then press save, it says:
For your changes to take effect, the Apache configuration must be rebuilt and Apache restarted.
so I press the button to restart and save and then it shows this line:
all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
which is not what I typed.

and the server still fails the scan from CISA and I get the TLS Version 1.1 Protocol Deprecated.

 

[MacHelpNashville]

the server also still fails when I use nessus to scan the server. (which is what CISA uses)

 

[cPRex]

As a test, could you try running this command to see if there are any issues with the Apache configuration itself?

/scripts/rebuildhttpdconf

If things are working normally, you should get this output:

"Built /etc/apache2/conf/httpd.conf OK"

 

[MacHelpNashville]

yep,
[email protected] [~]# /scripts/rebuildhttpdconf


Built /etc/apache2/conf/httpd.conf OK


I have hired Litespeed support and many others to attempt to fix this...

 

[cPRex]

Could you please submit a support ticket to us?