cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Add Support for TLS 1.3

ciao70 shared this idea 2 years ago
Completed

As a cPanel User, I would like to add support for TLS 1.3 to both the Apache and cpsrvd, because TLS 1.3 includes numerous changes that improve security and performance.

  • Remove unused and unsafe features of TLS 1.2.
  • Include strong security analysis in the design.
  • Improve privacy by encrypting more of the protocol.
  • Reduce the time needed to complete a handshake.

Comments (13)

photo
5

This needs to be implemented ASAP. cPanel needs to keep up with change at a faster pace, especially when it's for the good.

As per Apache changelog, mod_ssl already has support for OpenSSL 1.1.1 and TLS 1.3 since v2.4.36: http://www.apache.org/dist/httpd/CHANGES_2.4.37

So who's lagging behind this time? CentOS again?

photo
2

To be honest, while this update is indeed well needed and expected, there isn't a HUGE rush for it, as most servers will have multiple versions of TLS running (which is bad. Below 1.2 is unsafe) because many end clients (EMAIL CLIENTS) simply are not updated fast enough to know what to do with new handshake protocols.


There is a large majority of email clients who can't accept TLS 1.2 (I know, WTF?!) such as older Apple and Microsoft products, amongst others.


So when server's do get TLS 1.3 running, the browser will be fine but email communications may well be broken, so lower versions of TLS will need to be in backup so really, at the end of the day, having TLS 1.3 is not YET critical, but It would be definitely positive to have sooooooooon.

photo
2

This would be a nice feature to have rolled out but I accept it may take a little longer with proper testing and packages been available from Cloud Linux / CentOS.

photo
2

Hello,

There are news about this feature?

Support for OpenSSL 1.0.2 end 31/12/2019

Cpanel Upgrade OpenSSL 1.1.1, ETA?

Thanks

photo
2

We would really like this feature as well. Quite a few benefits with TLS 1.3 and with nearly every page these days being SSL, the time to first byte would be much improved due to the handshake changes.

photo
2

I have included this one as a footnote of a request for http 3/0 support as http 3/0 requires the use of TLS 1.3 please see below -

https://features.cpanel.net/topic/http-30

photo
2

This server feature, TLS 1.3, is critical for competitive companies and their donors seeking a secure donation mechanism. Thank you. You guys are amazing!

photo
1

Just tested it and it's working perfect :-D

photo
2

Good catch! Thanks for posting the link.

photo
2

Good news, everyone!


We are currently looking for beta testers for OpenSSL 1.1.1 and TLSv1.3! Please check out this blog for more information.

https://blog.cpanel.com/openssl-1-1-1-and-tlsv1-3-beta-testing-open-call/

photo
1

Fantastic news!!!

photo
3

Version 86 was released to the EDGE tier 1/6/20. In this version, we are adding TLSv1.3 to the SSL/TLS Protocols option in WHM's Global Configuration interface. Clients must support TLSv1.3 for this protocol to function consistently. Read More

photo
4

OpenSSL v1.1.1 with TLS 1.3 support was added to EasyApache 4 yesterday (https://docs.cpanel.net/ea4/information/easyapache-4-release-notes/).

Thank you, @cPanelTabby!

photo
3

Yes

Server Version: Apache/2.4.41 (cPanel) OpenSSL/1.1.1d mod_bwlimited/1.4

Only OpenSSL 1,1,1d

TLS 1.3 with Cpanel 86

Thanks :)

photo
2

Does anyone know why setting "TLSv1.3 TLSv1.2" as your cipher suite does not enable TLS 1.3, but using "ALL -SSLv3 -TLSv1 -TLSv1.1" works great?

Also, any word on when TLS 1.3 will be enabled by default alongside TLS 1.2? I have to manually override the cPanel default to enable TLS 1.3 at the moment.

photo
1

TLS 1.3 is not a part of the default config yet. In your config, you need a “+” in front of it to enable.

photo
2

Thanks cPanelPhil. Yeah, it's still an active (albeit minor) bug for me as of v86.0.4. I've opened ticket #93453169.


Ok, thanks for the info on eventual plans to enable TLS 1.3 by default. Looking forward to it!

photo
1

Paul from cPanel support found that you need to add plusses in front of the ciphers to get it working in this format.

eg. "+TLSv1.3 +TLSv1.2"


Alternatively "ALL -SSLv3 -TLSv1 -TLSv1.1" continues to work well, and this may even support the next version of TLS if/when it's released.

photo
1

I have just updated to version 86 and my default APACHE SSL/TLS Protocols is "All -SSLv2 -SSLv3". Is it the correct current setting for TLS 1.3?

photo
3

I got it working with "-all +TLSv1.2 +TLSv1.3"

photo
3

+TLSv1.3 +TLSv1.2 Works for Apache.

https://forums.cpanel.net/threads/error-during-enable-tlsv1-3-in-cpanel86.667625/


For Enable TLS 1.3 on Cpanel/WHM?


Thanks

Replies have been locked on this page!