Thursday, August 20, 2009

Weak ciphers and SSLv2 disabled

As required for both PCI Compliance and general server security, our server has been configured to disallow Secure Sockets Layer (SSL) version 2 as well as "weak" cryptography. From this point on only SSLv3 will be allowed and supported. This isn't a change anyone should notice, as all modern browsers and email clients support SSLv3.

The only wrinkle in this process has been in the POP3 mailserver's SSL version implementation. Currently users are unable to connect and check email via an email client using SSL. Using an email client without SSL works fine (for both POP3 and IMAP), as does using webmail.

Since the setting changes were made through the WHM/cPanel's interface (necessary so the settings wouldn't be overwritten by a subsequent cPanel update), it appears to be a bug in the cPanel interface.

We have been working with a series of cPanel support techs over the past 26 hours to pinpoint and fix the issue, and will report when the issue has been cleared.

EDIT: Sat., Aug 22, 2009 12:47am: This issue is now resolved.