A very useful SSL Ciphers Guide

vlee

Well-Known Member
Oct 13, 2005
373
26
178
Spokane, Washington
cPanel Access Level
Root Administrator
I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html

This website has very useful information I want to share here to those who maybe interested it.

However, there are serious considerations around the use of “CBC” ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your “good cipher” list is now:

Code:
ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
So, in order to achieve HIPAA compliance, you must start by
  1. Turning OFF SSL v2 and SSL v3
  2. Enabling TLS 1.0 and higher
  3. Restrict the ciphers you will be using to ONLY those in the CBC-free above list.
Note: The SSL Cipher List above should be the cPanel Standard

I hope this helps everyone including cPanel for future cPanel releases.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

Thanks for taking the time to share!
 

PbG

Well-Known Member
Mar 11, 2003
246
0
166
My concern with this suite are:
Code:
Android 7.0 Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
BingPreview Jan 2015 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Chrome 57 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Firefox 47 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Firefox 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Firefox 53 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
IE 11 / Win 10  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Edge 13 / Win 10  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Edge 13 / Win Phone 10  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Safari 9 / iOS 9  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Safari 9 / OS X 10.11  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Safari 10 / iOS 10  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Safari 10 / OS X 10.12  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Apple ATS 9 / iOS 9  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  |  ECDH secp256r1
Using the previous suite this only occurred with the following but also allowed a weak 128 cipher as a last resort.
Code:
Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Chrome 57 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 > h2    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
Firefox 47 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
Thank you for sharing both BTW


I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html

This website has very useful information I want to share here to those who maybe interested it.

However, there are serious considerations around the use of “CBC” ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your “good cipher” list is now:

Code:
ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
So, in order to achieve HIPAA compliance, you must start by
  1. Turning OFF SSL v2 and SSL v3
  2. Enabling TLS 1.0 and higher
  3. Restrict the ciphers you will be using to ONLY those in the CBC-free above list.
Note: The SSL Cipher List above should be the cPanel Standard

I hope this helps everyone including cPanel for future cPanel releases.
 
Last edited by a moderator: