SSLHonorCipherOrder on Apache

Ходоренко Михаил shared this idea 1 year ago
Open Discussion

Please add support for SSLHonorCipherOrder on Apache config (WHM -> Apache Configuration -> Global Configuration )

http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslhonorcipherorder

Best Answer
photo

Thanks for your interest in improving cPanel and WHM. This request does have an internal case, but has not yet been scheduled for inclusion in the product.

In the meantime, you can make these additions in the Pre Main include through WHM »Service Configuration »Apache Configuration »Include Editor.

Comments (7)

photo
2

Thanks for your interest in improving cPanel and WHM. This request does have an internal case, but has not yet been scheduled for inclusion in the product.

In the meantime, you can make these additions in the Pre Main include through WHM »Service Configuration »Apache Configuration »Include Editor.

photo
2

Surely this one isn't exactly a biggie to add?

It's an important security feature, as some older devices will negotiate SSL ciphers that don't support forward secrecy unless you force them to by using the servers cipher order. Yes it's easy to add yourself, but it should be there by default.

cPanel should be striving to be as secure as possible out of the box and it requiring effort to weaken it, not the other way around, starting weak and requiring effort to make it passably secure.

photo
1

I completely understand your point of view, and hear your feedback here. Without a team scoping out the work it's hard to know how much time and testing would be needed (some of the smallest requests can scope out to be a full sprint's worth of work for a feature team), but as soon as there's anything to add here we'll be back!

photo
1

I appreciate what you're saying about some features, but I'm not buying it with this one. You have a system for bringing forward configurable options for Apache and writing them to the config file and then placing them in to the template. You're already advising people that they can do this manually. The testing is pretty straight forward and easily verifiable in terms of correct working and automating it.

If this took a full sprint, someone wants to be sprinting for the door and a new job when they cross the finish line :)

photo
2

This is a little bit silly now. I know we have the feature request system for a reason, but it's absolutely nuts that something that affects end user security has been sat here for over a year - yes I know it doesn't have many votes, but I'd put that down to a great number of cPanel users having no clue that this is actually a problem. It's crazy that we're adding what amounts to fluff, at the expense of security for end users.

photo
1

I do understand your point of view, but this request hasn't gotten much traction internally. I'm guessing that's because you can easily add the setting through the existing WHM interface.

If that changes or if it gets picked up by an internal team, I'll make sure we update things here.

photo
1

Appreciate that it's easy to add via includes editor - but how many people don't know this? How many don't know that it's an issue? How many 1000s of domains is that?

Unfortunately this speaks volumes to me, and not in a positive way. cPanel IMHO has a responsibility to the wider internet community to ship in as secure a configuration as it possible - for the server and end users. If admins willingly chose to weaken it, then they probably have a good well researched reason to do so. It's 2017 now, "no one is interested internally" is something you should be ashamed of stating.

Perhaps it's about time that there was someone internally that is interested in these kind of issues? It's not just this one issue, take for example the new "Symlink Protection Option" - It's off by default, yet FollowSymlinks & SymLinksIfOwnerMatch are both on by default, so Symlink protection is needed. Wrongly or not, there are admins out there that have no idea that screen exists, let alone what any of the options mean on there.

Apologies for taking this off-track, but this is indicative of wider issues :/

photo