Altering default Cipher Suite to allow older browsers in

AtariAge

Member
Mar 14, 2006
9
2
151
Greetings!

I recently moved my website to a new server, going from an older version of WHM/cPanel to the current version. I've discovered that the Apache Cipher Suite is much stricter than on the old server. On ssllabs.com the site has gone from an F rating to an A rating. So, basically, from one extreme to another. Unfortunately, the default cipher suite has locked out many users, either using older machines with older browsers, or on some video game consoles such as the PS3 and Nintendo DS.

The site is centered around video games, and I don't need to have state-of-the-art ciphers while excluding everything else. I'm looking for suggestions on how to alter the cipher suite to add some older, but still reasonably secure, ciphers back to the mix.

Here's the default cipher suite in WHM/cPanel currently:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

One of my users (who is currently blocked from the site) would like me to add EDH back to the mix. Here are two suites he suggested:

SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+AES EECDH+aRSA+AES EDH+aRSA+AES RSA+3DES"

or possibly

SSLCipherSuite "-ALL EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EDH+aRSA+AES EECDH+aRSA+RC4 EECDH EDH+aRSA"

I'm looking for advice on what's reasonable to do, and preferably add a few ciphers to the end of the default string. Any insight here is greatly appreciated.

Thank you,

..Al
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,749
2,207
363
cPanel Access Level
DataCenter Provider
Twitter
Hello @AtariAge,

I moved this thread into our Security forum category where it may receive additional user-feedback specific to the cipher requirements.

The decision on which ciphers to permit depends on your defined acceptable level of risk. Apache documents information on this topic under the Cipher Suites and Enforcing Strong Encryption section of the link below:

SSL/TLS Strong Encryption: How-To - Apache HTTP Server Version 2.5

Thank you.