change TLS ciphers of one specific domain

Operating System & Version
CentOS 7.9
cPanel & WHM Version
100.0.11

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,630
363
cPanel Access Level
Root Administrator
Hey there! As far as I'm aware, this isn't something that can be done as the ciphers run at the service level and not at the domain level. Is there a particular issue you're running into where just one site would need a different cipher suite?
 

themarty

Registered
Dec 4, 2019
4
0
1
BkQy21l03A270YzMQp04
cPanel Access Level
Root Administrator
Hi cPRex
Thanks for your reply

> As far as I'm aware, this isn't something that can be done as the ciphers run at the service level

Do you mean it can't be done within cPanel or at all?
Because it can definitely be done: it's just apache config that you can include in a virtual host config. I have done so often in non-cpanel servers. But if I do this at file-system level I'm afraid to break cpanel functionality that is built on top of it, so I don't want to do that - i'd like an official cpanel solution that doesn't break stuff and that is future proof

> Is there a particular issue you're running into where just one site would need a different cipher suite?

Different domains have different audiences. One might host an API that is used in an old Android App that has a user-base with a need of legacy ciphers and another domain might be a newly launched security focused website that only wants to support modern suites. One should not effect the other.
Also, there are many websites nowadays that give scores to TLS configurations and for some websites this can be a reason to only want to allow modern ciphers (and not the default (and weak) DH-2048 for example that cpanel now supports). And I would like to be able to support that on a case-by-case basis without the risk of impacting other services that need these older ciphers
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
10,360
1,630
363
cPanel Access Level
Root Administrator
I reached out to the web development team and did some more research on this. Apache does indicate that this can be configured in the main configuration, vhost, directory level, or .htaccess:


Since these are standard configuration options for Apache I don't see why these wouldn't work inside of an Apache include for the domain. This isn't something that has come up on my end before, so I'd recommend testing this out with one domain before attempting to implement this on a wide scale, but please post your results once you've had a chance to do that!
 

themarty

Registered
Dec 4, 2019
4
0
1
BkQy21l03A270YzMQp04
cPanel Access Level
Root Administrator
I have tried both options and here are the results:

htacess:
According to the documentation you gave me, this should work. I didn't know about this possibility, but since a .htaccess is the safest way to do a change for a single domain I tried this first. This is what I put in my .htaccess file:

<IfModule mod_ssl.c>
Header set X-CipherTest test
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!aNULL:!eNULL:!DES:!RC4:!MD5
</IfModule>
Note: this is the default from cpanel minus all the DHE ciphers

The Header directive is there so I could make sure the config was executed.
What I observed:
  • I could see the header when looking at the request in the browser (network tab in the developer toolbar), so the configuration was read and parsed for sure
  • In my browser all the pages under the domain worked as before
  • ssllabs (SSL Server Test (Powered by Qualys SSL Labs)) didn't report a change in the ciphers though and worse: it now displayed it didn't get an http response from the server. After commentig out the SSLCipherSuite directive that error went away, so it was definitely caused by this piece of config
  • internet.nl (a dutch website that provides similar functionality) also still reported the DHE ciphers being present and - similar to ssllabs - it reported being unable to get an http response from the server.
  • testssl (GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port) also still showed the DHE ciphers and also showed a HTTP 200.
  • wget and curl were both able to connect and get an http response.

htaccess summary: .htaccess config was parsed but didn't have an effect. worse: it caused problems with two analyses tools


apache include

Ah, that's the search term I was looking for I guess : "Apache include for a domain"
I found these instructions and followed them : https://support.cpanel.net/hc/en-us...directives-to-a-specific-domain-s-virtualhost

I then included the exact same config I previously used in my .htaccess

result:
  • Header showed up in my browser
  • Webpage worked fine
  • ssllabs and internet.nl didn't report any issues anymore and DHE ciphers are gone
  • in testssl the ciphers are also gone

summary: Apache includes works flawlessly