Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login
In cryptography, forward secrecy is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party, that is your spy next door. Turning on perfect forward secrecy is an important improvement that protects cPanel users. However, this feature is still not available in the WHM cPanel login. This occurs because WHM web service (WHM/cPanel/webmail login page) does not use Apache, but some software, developed in house by cPanel. Unfortunately, cPanel services do not natively support any cipher suites with ephemeral Diffie-Hellman key exchange, either the traditional algorithm or the elliptic-curve variant even if you try to enable it from cPanel Web Services Configuration. It works for Apache, but it does not work for WHM web service (WHM/cPanel/webmail logins). It just ignores ECDHE_RSA and reverts back to RSA. The implementation of ECDHE_RSA (Perfect Forward Secrecy) needs some coding but can be done quickly and will improve overall security for cPanel clients.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/
Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/
This is a mandatory feature please implement ASAP
This is a mandatory feature please implement ASAP
I thought I would comment by adding a reason to why this is becoming important and necessary. Since Google has already started testing secure websites as a ranking signal, website owners will want their websites with an SSL certificate that passes Google's requirements.
Websites like https://www.ssllabs.com/ssltest are recommended by Google and the one item that seems to be prominent as a failure in the test is "Forward Secrecy".
You can read more at Google's Webmaster Blog here:
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
Look forward to getting this implemented on cPanel soon.
I thought I would comment by adding a reason to why this is becoming important and necessary. Since Google has already started testing secure websites as a ranking signal, website owners will want their websites with an SSL certificate that passes Google's requirements.
Websites like https://www.ssllabs.com/ssltest are recommended by Google and the one item that seems to be prominent as a failure in the test is "Forward Secrecy".
You can read more at Google's Webmaster Blog here:
http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html
Look forward to getting this implemented on cPanel soon.
The cPanel binaries must be compiled against an Open SSL that supports this. Without blocking upgrades of systems which are not on CentOS 6.5 or 5.10, we cannot support PFS on those distros. It is possible we may push for this in the future. At a minimum, this will be supported in CentOS 7 since there are no backward compatibility issues there.
See here for more information on CentOS 7 support: http://features.cpanel.net/responses/rhel-7-centos-7-support
The cPanel binaries must be compiled against an Open SSL that supports this. Without blocking upgrades of systems which are not on CentOS 6.5 or 5.10, we cannot support PFS on those distros. It is possible we may push for this in the future. At a minimum, this will be supported in CentOS 7 since there are no backward compatibility issues there.
See here for more information on CentOS 7 support: http://features.cpanel.net/responses/rhel-7-centos-7-support
Yes, please implement this; this would be a great feature to have and is becoming more necessary every day for SEO as above sure, but for security as the paramount reason.
Yes, please implement this; this would be a great feature to have and is becoming more necessary every day for SEO as above sure, but for security as the paramount reason.
Only valid reason, is for security.
SEO is a plus, but is not what matter.
If you are not worried by security of your users, you are in the wrong job.
Only valid reason, is for security.
SEO is a plus, but is not what matter.
If you are not worried by security of your users, you are in the wrong job.
Documentation for a workaround (if possible) would be a great start. This is impacting security in a big way.
Documentation for a workaround (if possible) would be a great start. This is impacting security in a big way.
https://forums.cpanel.net/threads/update-cpanel-to-tls-1-2-without-modifying-system-files-php5-curlssl-apache2-4-x.371221/
Yes. It happens to be my thread. Our cPanel installers have this scripted to happen right after they run automatically now. Our own sub installer. I may consider releasing the source soon after I see it work a few more times flawlessly.
https://forums.cpanel.net/threads/update-cpanel-to-tls-1-2-without-modifying-system-files-php5-curlssl-apache2-4-x.371221/
Yes. It happens to be my thread. Our cPanel installers have this scripted to happen right after they run automatically now. Our own sub installer. I may consider releasing the source soon after I see it work a few more times flawlessly.
Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/
Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/
Replies have been locked on this page!