cPanel & WHM Version 98 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Strengthen Apache SSL cipher for PCI compliance

Peter Armstrong shared this idea 7 years ago
Completed

The Qualy's SSL tester at https://www.ssllabs.com/ssltest/ gives websites a Grade F rating based on the default cPanel Apache 'PCI compliant' setting.


If you login to WHM > Apache Configuration > Global Configuration, the default SSL cipher for PCI compliance is:


ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH


However this is a Grade F in the Qualy's SSL tester.To get a Grade A rating it must be changed to:


ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL


I want this to become the default PCI compliance SSL cipher in cPanel.

Best Answer
photo

In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate


The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.

Replies (14)

photo
1

SSL labs now gives that string a B due to a warning about RC4 being broken. Still better then an F!

photo
1

In cPanel & WHM version 11.50.1 we'll change the default SSL Ciphers to use the Intermediate profile as recommended by Mozilla. More information on the profile is available at https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate


The change should affect all SSL-enabled services: SMTP, Apache, cpsrvd, cpdavd, etc.

photo
1

That's one big cipher! If we currently have a custom cipher, will we need to go through every server and manually revert to the default cipher if we want to use this? In theory we can start using this now before 11.50.1 is released?

photo
1

Yes, you will need to modify each server. You should be able to make those changes now, on 11.46.0 and newer.

photo
1

I forgot to mention the case number: 180469


The changes already exist in the 11.49.9999 builds published to the EDGE tier on May 11. Once 11.50.0 makes it to the STABLE tier you can expect the changes for 11.50.1 to begin deploying to the production tiers.

photo
1

Running 11.50 and the below cipher gives A+ as of June 25th 2015:


ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!DH:!MD5:!PSK:!RC4

photo
1

I went to SSL Labs after putting this string in and got:

"Assessment failed: No secure protocols supported"

I went back to the old string now I get the same error, when it used to get a B grade. I can connect to the https: port and login fine. I noticed also have reports from customers using SSL for mail are getting a warning to approve the cert. It's a wildcard cert that I've been using on all my servers with no issues until now. Google tells me it's obsolete, which I know it's an sha1 and will need to be changed, but it should still work shouldn't it?

Edit... Nevermind.. Their site only checks 443, was trying to check my whm/cpanel cert, it worked for a certificate for customer's website.

photo
1

The above is to put into the apache "global" cipher box in WHM. Make sure there are no spaces as it is one line.

photo
1

Great, works with a customer's SSL, I get an A- with the string, not A+ though? Probably due to:


The server does not support Forward Secrecy with the reference browsers. Grade reduced to A

This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade attacks.

photo
1

I don't think that is the issue as it might be the certificate needs to be reissued to support SHA256

photo
1

It's a recently new cert has supports sha256, that's fine. "Signature algorithm

SHA256withRSA"


I think it is the cert though, for some reason it reports that the cert is confusing as it doesn't support the non-www version of the domain.. Still A->B>F! I'm fine with those results!

photo
1

Be careful with cipher lists like the that is generated through https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.0&openssl=0.9.8&hsts=yes&profile=intermediate

If you are running DNS Only Servers because the cipher lists generated above on Web Servers that connect to a DNS Only Server can cause problems see my post in the forums https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721


So feel free to use this cipher list below I still get a A+ rating and has been tested by Tristan at cPanel.

ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

photo
1

It does indeed seem to work with A+ but you will still get a warning regarding the Beast attack and Chrome will also state:


Your connection to XX is encrypted using an obsolete cipher suite.

photo
2

cPanel & WHM version 11.50.1 is in the CURRENT tier. Also, these changes are in 11.52 which we anticipate going to production very soon.

photo
1

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

IT Does not give a by the way tried its its only b

photo
1

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

tried this and its only b......what is the best cipher to use on whm11.52.1.3 with forward secrecy enabled

photo
1

I use this SSL Cipher below

ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


For the reason why go to https://forums.cpanel.net/threads/ssl-cipher-suite.424092/#post-1934721 and read my post.

Replies have been locked on this page!