The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A very useful SSL Ciphers Guide

Discussion in 'Security' started by vlee, Jun 24, 2017.

Tags:
  1. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    335
    Likes Received:
    18
    Trophy Points:
    168
    Location:
    Spokane, Washington
    cPanel Access Level:
    Root Administrator
    I stumbled across this website called luxsci.com/blog/level-ssl-tls-required-hipaa.html

    This website has very useful information I want to share here to those who maybe interested it.

    However, there are serious considerations around the use of “CBC” ciphers as documented in NIST 800-52, in this article, especially if they are used with the TLS v1.0 protocol. As a result, it is best to remove CBC ciphers from the supported list (this has little negative impact, aside from not supporting the native Windows XP encryption stack which, of the list above, only supports DES-CBC3-SHA. That said, Windows XP is long deprecated). So, your “good cipher” list is now:

    Code:
    ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA:AES256-SHA256:AES256-GCM-SHA384:AES256-SHA:AES128-SHA256:AES128-GCM-SHA256:AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES256-GCM-SHA384:DH-DSS-AES128-SHA:DH-DSS-AES256-SHA:DH-DSS-AES128-SHA256:DH-DSS-AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DH-DSS-AES256-GCM-SHA384:ECDH-ECDSA-AES128-SHA:ECDH-ECDSA-AES256-SHA:ECDH-ECDSA-AES128-SHA256:ECDH-ECDSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES256-GCM-SHA384
    So, in order to achieve HIPAA compliance, you must start by
    1. Turning OFF SSL v2 and SSL v3
    2. Enabling TLS 1.0 and higher
    3. Restrict the ciphers you will be using to ONLY those in the CBC-free above list.
    Note: The SSL Cipher List above should be the cPanel Standard

    I hope this helps everyone including cPanel for future cPanel releases.
     
    #1 vlee, Jun 24, 2017
    Last edited by a moderator: Jun 24, 2017
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    37,022
    Likes Received:
    1,276
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Thanks for taking the time to share!
     
Loading...

Share This Page