cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login

Iti Monitor shared this idea 7 years ago
Completed

In cryptography, forward secrecy is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. Sites that use perfect forward secrecy can provide better security to users in cases where the encrypted data is being monitored and recorded by a third party, that is your spy next door. Turning on perfect forward secrecy is an important improvement that protects cPanel users. However, this feature is still not available in the WHM cPanel login. This occurs because WHM web service (WHM/cPanel/webmail login page) does not use Apache, but some software, developed in house by cPanel. Unfortunately, cPanel services do not natively support any cipher suites with ephemeral Diffie-Hellman key exchange, either the traditional algorithm or the elliptic-curve variant even if you try to enable it from cPanel Web Services Configuration. It works for Apache, but it does not work for WHM web service (WHM/cPanel/webmail logins). It just ignores ECDHE_RSA and reverts back to RSA. The implementation of ECDHE_RSA (Perfect Forward Secrecy) needs some coding but can be done quickly and will improve overall security for cPanel clients.

Best Answer
photo

Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/

Replies (8)

photo
3

This is a mandatory feature please implement ASAP

photo
2

I thought I would comment by adding a reason to why this is becoming important and necessary. Since Google has already started testing secure websites as a ranking signal, website owners will want their websites with an SSL certificate that passes Google's requirements.


Websites like https://www.ssllabs.com/ssltest are recommended by Google and the one item that seems to be prominent as a failure in the test is "Forward Secrecy".


You can read more at Google's Webmaster Blog here:

http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html


Look forward to getting this implemented on cPanel soon.

photo
1

The cPanel binaries must be compiled against an Open SSL that supports this. Without blocking upgrades of systems which are not on CentOS 6.5 or 5.10, we cannot support PFS on those distros. It is possible we may push for this in the future. At a minimum, this will be supported in CentOS 7 since there are no backward compatibility issues there.


See here for more information on CentOS 7 support: http://features.cpanel.net/responses/rhel-7-centos-7-support

photo
1

Yes, please implement this; this would be a great feature to have and is becoming more necessary every day for SEO as above sure, but for security as the paramount reason.

photo
3

smartfinds wrote:

I thought I would comment by adding a reason to why this is becoming important and necessary. Since Google has already started testing secure websites as a ranking signal, website owners will want their websites with an SSL certificate that passes Google's requirements.


Websites like https://www.ssllabs.com/ssltest are recommended by Google and the one item that seems to be prominent as a failure in the test is "Forward Secrecy".


You can read more at Google's Webmaster Blog here:

http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html


Look forward to getting this implemented on cPanel soon.


Only valid reason, is for security.

SEO is a plus, but is not what matter.


If you are not worried by security of your users, you are in the wrong job.

photo
2

Documentation for a workaround (if possible) would be a great start. This is impacting security in a big way.

photo
2

sonicthoughts wrote:

Documentation for a workaround (if possible) would be a great start. This is impacting security in a big way.
First off. This is COMPLETELY unsupported by cPanel. However. I'm using it on 7 cPanel servers in production environments. It still follows this guide pretty closely. Make sure you read through the thread for the comments from cPanel Devs before you start. They offer great insight into some short cuts.


https://forums.cpanel.net/threads/update-cpanel-to-tls-1-2-without-modifying-system-files-php5-curlssl-apache2-4-x.371221/


Yes. It happens to be my thread. Our cPanel installers have this scripted to happen right after they run automatically now. Our own sub installer. I may consider releasing the source soon after I see it work a few more times flawlessly.

photo
1

Hey everyone! This was resolved as of v56's release. If you have any problems or questions, feel free to let me know, or submit a ticket to our support team: https://tickets.cpanel.net/submit/

Replies have been locked on this page!