SSLHonorCipherOrder on Apache

There are news about this feature?

Hello cPanelTabby,

The request was opened 4 years ago

It seems like a reasonable time for any update :)

Symptomatic of wider issues I'm afraid.

I have activated manually

SSLHonorCipherOrder On

In the Pre Main include through WHM »Service Configuration »Apache Configuration »Include Editor.

https://documentation.cpanel.net/display/84Docs/Include+Editor

Work

I completely understand your point of view, and hear your feedback here. Without a team scoping out the work it's hard to know how much time and testing would be needed (some of the smallest requests can scope out to be a full sprint's worth of work for a feature team), but as soon as there's anything to add here we'll be back!

I appreciate what you're saying about some features, but I'm not buying it with this one. You have a system for bringing forward configurable options for Apache and writing them to the config file and then placing them in to the template. You're already advising people that they can do this manually. The testing is pretty straight forward and easily verifiable in terms of correct working and automating it.

If this took a full sprint, someone wants to be sprinting for the door and a new job when they cross the finish line :)

This is a little bit silly now. I know we have the feature request system for a reason, but it's absolutely nuts that something that affects end user security has been sat here for over a year - yes I know it doesn't have many votes, but I'd put that down to a great number of cPanel users having no clue that this is actually a problem. It's crazy that we're adding what amounts to fluff, at the expense of security for end users.

I do understand your point of view, but this request hasn't gotten much traction internally. I'm guessing that's because you can easily add the setting through the existing WHM interface.

If that changes or if it gets picked up by an internal team, I'll make sure we update things here.

Appreciate that it's easy to add via includes editor - but how many people don't know this? How many don't know that it's an issue? How many 1000s of domains is that?

Unfortunately this speaks volumes to me, and not in a positive way. cPanel IMHO has a responsibility to the wider internet community to ship in as secure a configuration as it possible - for the server and end users. If admins willingly chose to weaken it, then they probably have a good well researched reason to do so. It's 2017 now, "no one is interested internally" is something you should be ashamed of stating.

Perhaps it's about time that there was someone internally that is interested in these kind of issues? It's not just this one issue, take for example the new "Symlink Protection Option" - It's off by default, yet FollowSymlinks & SymLinksIfOwnerMatch are both on by default, so Symlink protection is needed. Wrongly or not, there are admins out there that have no idea that screen exists, let alone what any of the options mean on there.

Apologies for taking this off-track, but this is indicative of wider issues :/