Strengthen Apache SSL cipher for PCI compliance
The Qualy's SSL tester at https://www.ssllabs.com/ssltest/ gives websites a Grade F rating based on the default cPanel Apache 'PCI compliant' setting.
If you login to WHM > Apache Configuration > Global Configuration, the default SSL cipher for PCI compliance is:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH
However this is a Grade F in the Qualy's SSL tester.To get a Grade A rating it must be changed to:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
I want this to become the default PCI compliance SSL cipher in cPanel.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.
In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.
SSL labs now gives that string a B due to a warning about RC4 being broken. Still better then an F!
SSL labs now gives that string a B due to a warning about RC4 being broken. Still better then an F!
In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.
In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.
Running 11.50 and the below cipher gives A+ as of June 25th 2015:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!DH:!MD5:!PSK:!RC4
Running 11.50 and the below cipher gives A+ as of June 25th 2015:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!DH:!MD5:!PSK:!RC4
I went to SSL Labs after putting this string in and got:
"Assessment failed: No secure protocols supported"
I went back to the old string now I get the same error, when it used to get a B grade. I can connect to the https: port and login fine. I noticed also have reports from customers using SSL for mail are getting a warning to approve the cert. It's a wildcard cert that I've been using on all my servers with no issues until now. Google tells me it's obsolete, which I know it's an sha1 and will need to be changed, but it should still work shouldn't it?
Edit... Nevermind.. Their site only checks 443, was trying to check my whm/cpanel cert, it worked for a certificate for customer's website.
I went to SSL Labs after putting this string in and got:
"Assessment failed: No secure protocols supported"
I went back to the old string now I get the same error, when it used to get a B grade. I can connect to the https: port and login fine. I noticed also have reports from customers using SSL for mail are getting a warning to approve the cert. It's a wildcard cert that I've been using on all my servers with no issues until now. Google tells me it's obsolete, which I know it's an sha1 and will need to be changed, but it should still work shouldn't it?
Edit... Nevermind.. Their site only checks 443, was trying to check my whm/cpanel cert, it worked for a certificate for customer's website.
The above is to put into the apache "global" cipher box in WHM. Make sure there are no spaces as it is one line.
The above is to put into the apache "global" cipher box in WHM. Make sure there are no spaces as it is one line.
Great, works with a customer's SSL, I get an A- with the string, not A+ though? Probably due to:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
Great, works with a customer's SSL, I get an A- with the string, not A+ though? Probably due to:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A
This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.
I don't think that is the issue as it might be the certificate needs to be reissued to support SHA256
I don't think that is the issue as it might be the certificate needs to be reissued to support SHA256
It's a recently new cert has supports sha256, that's fine. "Signature algorithm
SHA256withRSA"
I think it is the cert though, for some reason it reports that the cert is confusing as it doesn't support the non-www version of the domain.. Still A->B>F! I'm fine with those results!
It's a recently new cert has supports sha256, that's fine. "Signature algorithm
SHA256withRSA"
I think it is the cert though, for some reason it reports that the cert is confusing as it doesn't support the non-www version of the domain.. Still A->B>F! I'm fine with those results!
Be careful with cipher lists like the that is generated through https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
If you are running DNS Only Servers because the cipher lists generated above on Web Servers that connect to a DNS Only Server can cause problems see my post in the forums https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721
So feel free to use this cipher list below I still get a A+ rating and has been tested by Tristan at cPanel.
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
Be careful with cipher lists like the that is generated through https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate
If you are running DNS Only Servers because the cipher lists generated above on Web Servers that connect to a DNS Only Server can cause problems see my post in the forums https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721
So feel free to use this cipher list below I still get a A+ rating and has been tested by Tristan at cPanel.
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
It does indeed seem to work with A+ but you will still get a warning regarding the Beast attack and Chrome will also state:
Your connection to XX is encrypted using an obsolete cipher suite.
It does indeed seem to work with A+ but you will still get a warning regarding the Beast attack and Chrome will also state:
Your connection to XX is encrypted using an obsolete cipher suite.
cPanel & WHM version 11.50.1 is in the CURRENT tier. Also, these changes are in 11.52 which we anticipate going to production very soon.
cPanel & WHM version 11.50.1 is in the CURRENT tier. Also, these changes are in 11.52 which we anticipate going to production very soon.
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
IT Does not give a by the way tried its its only b
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
IT Does not give a by the way tried its its only b
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
tried this and its only b......what is the best cipher to use on whm11.52.1.3 with forward secrecy enabled
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
tried this and its only b......what is the best cipher to use on whm11.52.1.3 with forward secrecy enabled
I use this SSL Cipher below
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
For the reason why go to https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721 and read my post.
I use this SSL Cipher below
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
For the reason why go to https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721 and read my post.
Replies have been locked on this page!