error during enable TLSv1.3 in cPanel86

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
I am using CENTOS 7.8 v88.0.11 and Easy Apache 4 and cannot get TLS v1.3 working using any of the above methods. Any idea why this doesn't work in 88?
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Can you show me exactly what you've added and how you've determined it's not functioning? Also can you confirm you have the ea-openssl packages as follows:

Code:
[[email protected] ~]# rpm -qa |grep ea-openssl1
ea-openssl11-1.1.1g-1.1.2.cpanel.x86_64
ea-openssl11-devel-1.1.1g-1.1.2.cpanel.x86_64
 

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
When I run that command it shows this:
ea-openssl11-1.1.1g-1.1.2.cpanel.x86_64

And I determined it was not working via running my site at:
and seeing these results:
TLS 1.3 - No
TLS 1.2 - Yes
TLS 1.1 - No
TLS 1.0 - No
SSL 3 - No
SSL 2 - No

It looks to me like this package is missing. If so, could you give me the command to install it?
ea-openssl11-devel-1.1.1g-1.1.2.cpanel.x86_64
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
It is missing and the command to install it is

Code:
yum -y install ea-openssl11-devel-1.1.1g-1.1.2.cpanel.x86_64
What did you set in WHM>>Service Configuration>>Apache Configuration -> Global Configuration -> SSL/TLS Protocols? Here is what I have and my results on the same server from Qualys
Code:
+TLSv1.2 +TLSv1.3
Screenshot at Jul 01 16-04-30.png
 

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
Ok, I have the same protocols in my apache config.
+TLSv1.2 +TLSv1.3

Before I run that installation line, will doing so force me to do anything, like re-install my ssl certs? I don't want any surprises and have sites go down.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Before I run that installation line, will doing so force me to do anything, like re-install my ssl certs? I don't want any surprises and have sites go down.
Nope, at least it didn't for me. It will restart apache though which should be unnoticeable.
 

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
I ran:
yum -y install ea-openssl11-devel-1.1.1g-1.1.2.cpanel.x86_64

and the install was successful:
# rpm -qa |grep ea-openssl1

ea-openssl11-1.1.1g-1.1.2.cpanel.x86_64
ea-openssl11-devel-1.1.1g-1.1.2.cpanel.x86_64

and I restarted Apache and the Engintron plugin (I am running NGINX). Unfortunately the retest of my server at Qualys SSL Labs still does not show it working:
TLS 1.3No
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Oh you didn't mention you were running Engintron's NGINX. This is probably a cached setting in NGINX. If you switch to Apache alone and run this once more does the issue persist?
 

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
So when I turn off Engintron my TLS 1.3 works fine:
This server supports TLS 1.3.

When I enable Engintron it does not work. I even tried uninstalling Engintron and re-installing it.

If you have any ideas please let me know.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
So when I turn off Engintron my TLS 1.3 works fine:
This server supports TLS 1.3.

When I enable Engintron it does not work. I even tried uninstalling Engintron and re-installing it.

If you have any ideas please let me know.
I don't know, it might the best to ask engintron. The issue is that their software has been known to cause issues with cPanel.
 

Duplika

Well-Known Member
Feb 26, 2005
81
9
158
Buenos Aires, Argentina
cPanel Access Level
Root Administrator
Twitter
Would like to know this as well.
How about the other services for +TLSv1.2 +TLSv1.3 like the ones below

cPanel Web Disk Configuration
Currently set to SSLv23:!SSLv2:!SSLv3

cPanel Web Services Configuration
Currently set to SSLv23:!SSLv2:!SSLv3

Mailserver Configuration
SSL Minimum Protocol Currently set to TLSv1.2

Exim Configuration Manager ==> Security
Currently set to +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default

How do you change those ones above to use +TLSv1.2 +TLSv1.3?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,298
1,279
313
Houston
Would like to know this as well.
I would suggest you read the thread as the answer is present. I've quoted it for you here:

The OpenSSL package that was released was for EasyApache 86 Release Notes | cPanel & WHM Documentation which covers OpenSSL for Apache related services.

This is not the same package that covers it for the system which includes other services which is at OpenSSL 1.0.2k-fips 26 Jan 2017

I also want to point out that I did notice our documentation was a little unclear on this and I've opened a case to have it clarified.
 

celiac101

Well-Known Member
Dec 19, 2012
112
3
68
cPanel Access Level
Website Owner
The Engintron tech help said that it is possible that NGINX wasn't compiled to work with TLSv1.3 and Centos 7.8.

When I run this command:
openssl ciphers -v | awk '{print $2}' | sort | uniq
I don't see v 1.3 installed:
SSLv3
TLSv1.2

But somehow TLSv1.3 is working with Apache.