Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A very useful SSL Ciphers Guide

Discussion in 'Security' started by vlee, Jun 24, 2017.

Tags:
  1. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    336
    Likes Received:
    18
    Trophy Points:
    168
    Location:
    Spokane, Washington
    cPanel Access Level:
    Root Administrator
    I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html

    This website has very useful information I want to share here to those who maybe interested it.

    However, there are serious considerations around the use of “CBC” ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your “good cipher” list is now:

    Code:
    ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
    So, in order to achieve HIPAA compliance, you must start by
    1. Turning OFF SSL v2 and SSL v3
    2. Enabling TLS 1.0 and higher
    3. Restrict the ciphers you will be using to ONLY those in the CBC-free above list.
    Note: The SSL Cipher List above should be the cPanel Standard

    I hope this helps everyone including cPanel for future cPanel releases.
     
    #1 vlee, Jun 24, 2017
    Last edited by a moderator: Jun 24, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,659
    Likes Received:
    1,428
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for taking the time to share!
     
  3. PbG

    PbG Well-Known Member

    Joined:
    Mar 11, 2003
    Messages:
    245
    Likes Received:
    0
    Trophy Points:
    166
    My concern with this suite are:
    Code:
    Android 7.0 Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    BingPreview Jan 2015 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
    Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Chrome 57 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
    Firefox 47 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Firefox 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Firefox 53 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    IE 11 / Win 10  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Edge 13 / Win 10  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Edge 13 / Win Phone 10  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Safari 9 / iOS 9  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Safari 9 / OS X 10.11  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Safari 10 / iOS 10  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Safari 10 / OS X 10.12  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Apple ATS 9 / iOS 9  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256  |  ECDH secp256r1
    
    Using the previous suite this only occurred with the following but also allowed a weak 128 cipher as a last resort.
    Code:
    Chrome 49 / XP SP3 Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    Chrome 57 / Win 7  R RSA 2048 (SHA256)   TLS 1.2 > h2    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
    Firefox 31.3.0 ESR / Win 7 RSA 2048 (SHA256)   TLS 1.2  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ECDH secp256r1  FS
    Firefox 47 / Win 7  R Server negotiated HTTP/2 with blacklisted suite
    RSA 2048 (SHA256)   |  TLS 1.2 > h2    |  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  |  ECDH secp256r1
    
    Thank you for sharing both BTW


     
    #3 PbG, Oct 3, 2017
    Last edited by a moderator: Oct 3, 2017
Loading...

Share This Page