Provide OpenSSL 1.0.1c or Higher as cPanel RPM, to allow TLS 1.1, TLS 1.2
OpenSSL prior to version 1.0.1 only supports TLS 1.0. Every encryption scheme of TLS 1.0 is vulnerable to the BEAST attack, except RC4. Recently, RC4 was confirmed to be broken as well: https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
This means there are no secure encryption schemes under TLS 1.0.CentOS/RHEL versions 5.x and 6.x are stuck on OpenSSL versions 0.9.8e and 1.0.0, respectively. CentOS/RHEL 5 does not reach EOL until March of 2017. CentOS/RHEL 6 doesn't reach EOL until November 2020. That means there will be cPanel servers without TLS 1.1+ support for at least another 7 years. Luckily, there is a solution: cPanel can package and supply a more recent version of OpenSSL for all supported systems, and EasyApache can build against this updated library. This has been tested to some degree by another cPanel forum member:
Other than the security concerns, there are other reasons to upgrade OpenSSL to 1.0.1c or higher.
- RHEL/CentOS 5 servers cannot support SNI, which is becoming more important as IPv4 addresses are drying up. SNI was not supported until OpenSSL 0.9.8f, but these servers ship with OpenSSL 0.9.8e.
- RHEL/CentOS 5 servers cannot support OCSP stapling, which decreases the latency introduced in the TLS handshake by checking certificates for revocation. OCSP stapling was not supported until OpenSSL 0.9.8g, but these servers ship with OpenSSL 0.9.8e.
- OpenSSL 1.0.1+ adds support for the AES-NI instructions in Westmere/Sandy Bridge/Ivy Bridge or later processors, which increases performance of SSL/TLS connections and prevents timing attacks against AES.
- ...and much much more! :)
Please supply an upgraded version of OpenSSL for supported operating systems that don't supply version 1.0.1c or greater.