Sorry for the delay, I wanted to update the status of this issue, as I did set the ssl_cipher_list in ASSP, I thought it worked for setting the cipher on SMTP (see below appears not now), but it does not appear to affect the https: connections on port 55555 and 55553 for the web interface? I don't know am I missing something else?
My setting: SSL_cipher_list:=RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!ADH:!AESGCM:!AES:!DES-CB C3-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES256-SHA (which works for all other cpanel services) Tested with beast.pl script on port 55555 and 55553 as well as actually port 465 also and the result is Protocol: TLS v1 Server Preferred Cipher: AES256-SHA Vulnerable: YES Also tested with this as per cpanel guidelines ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM:!SSLv2 And same result, which makes me thing the service is grabbing its setting from somewhere else because on the second one there is not even a mention of AES256-SHA Thoughts? John Date: Tue, 11 Jun 2013 18:27:24 +0200 From: Thomas Eckardt <thomas.ecka...@thockar.com> Subject: [Assp-user] Antwort: how to change the SSL cipher to mitigate beast To: For Users of ASSP <assp-user@lists.sourceforge.net> Message-ID: <tITC.787456feed.OF8C0D33FD.4C9D9322-ONC1257B87.005A1E3A-C1257B87.005A62EE@t hockar.com> Content-Type: text/plain; charset="us-ascii" set 'SSL_cipher_list' to your needs - notice: this is used for SMTPS and HTTPS the 'SSL_honor_cipher_order' flag is still not used in assp Thomas Von: "Ethical Host - John MacKenzie" <j...@ethicalhost.ca> An: <assp-user@lists.sourceforge.net>, Datum: 11.06.2013 17:55 Betreff: [Assp-user] how to change the SSL cipher to mitigate beast Well I posted this some time ago with no response so will try the mail list http://minimalcms.sourceforge.net/demo/proxy/apps/phpbb/assp/viewtopic.php?f =7 < http://minimalcms.sourceforge.net/demo/proxy/apps/phpbb/assp/viewtopic.php? f=7&t=1994&sid=cde5a1fbacd7f67c926a2741e964106a> &t=1994&sid=cde5a1fbacd7f67c926a2741e964106a Q: how do I go about adjusting the SSL cipher that assp uses for the web interface (re here http://forums.cpanel.net/f185/ssl-beast-workaround-whm-cpanel-306051.html) on ports 55553 and 55555 to mitigate the BEAST vulnerability http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389? Thanks John ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Assp-user mailing list Assp-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-user