The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Getting Perfect Forward Secrecy Question

Discussion in 'Security' started by Spork Schivago, Jul 14, 2016.

Tags:
  1. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    Hello,

    I run a VPS that GoDaddy leases me running CentOS 6.8 with Apache 2.4.18 and OpenSSL 1.0.1e-fips. If I wanted to enable "Perfect" Forward Secrecy (the Elliptic Curve Diffie-Hellman and the Diffie-Hellman cipher suites), would I need to custom compile OpenSSL and curl? Does cPanel support this? What I mean by that is if my OpenSSL library supports ECDHE and DHE, would the cPanel services like webmail, WHM, etc support it as well?

    I'd like to say I'm still learning this stuff so bear with me if some of my questions are kind of simple. I'm still trying to learn everything and I'm very new to running a server on the internet, although I do have a good experience with various Linux distro's.

    My limited understanding of this stuff is OpenSSL handles the SSL certificates I have and implements the various cipher suites. Is that correct?

    I'm getting a bit confused. I type openssl ciphers and I see:
    Code:
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
    
    To me, that looks like openSSL already has DHE and ECDHE support compiled in. If that's the case, I wonder why ssllabs.com says my site does NOT support Forward Secrecy.

    Thanks!
     
  2. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I believe I have now figured this out and no longer need help. I'm now getting an A+ rating. I had to enable HSTS as well and mess with some of the ciphers and make sure the order was honored. Thanks though!
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    I'm happy to see you were able to address the issue. Feel free to post the full steps you took to ensure this was addressed for other users who may experience a similar issue.

    Thanks!
     
    Spork Schivago likes this.
  4. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    cPanelMichael,

    I will describe what I did but I would like to make a suggestion that I think cPanel should highly consider implementing. Right now, there are a few issues with 56.0.27 with configuring Apache from the WHM interface. I strongly feel that there should be some options that are just missing under Service Configuration -> Apache Configuration -> Global Configuration. We can configure the SSL Cipher Suite or use the default and we can configure the SSL / TLS Protocols (or use the default). However, there's no option to honor the SSL cipher order. This is important for "Perfect" Forward Secrecy. Also, there's no option to enable HTTP Strict Transport Security (HSTS). Enabling HSTS won't affect Forward Secrecy but it will allow a user to receive a score of A+ on Qualys SSL Lab test and more importantly, it should prevent man-in-the-middle attacks all together. According to Wikipedia, HSTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking.

    HTTP Strict Transport Protocol forces any HTTP requests to be sent over HTTPS. Now that SSL certificates can be obtained for free by Let's Encrypt, there's no reason websites shouldn't have an SSL certificate, even if they're not dealing with sensitive information. If your website pulls pictures or other data from non-secure (HTTP) websites, enabling HTTP Strict Transport Protocol will prevent these pictures / data from being successfully pulled. You'll either have to not enable HTTP Strict Transport Protocol or (the better option in my opinion), store those files locally on your site, or (the best option out of all of them), contact the other domain owners and convince them to obtain an SSL certificate (perhaps a free one from Let's Encrypt?)

    right now, the only way to enable it is by editing files using the terminal (via SSH) as far as I can tell.

    These are the steps that I took to enable "Perfect" Forward Secrecy and HSTS:

    In WHM, I went to Service Configuration -> Apache Configuration -> Global Configuration. I then scrolled down to the SSL Cipher Suite and entered my own. This is the value I entered:

    Code:
    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    
    I got this list from the Apache mailing list. A doctor suggested them and I feel that it's a very good list. It disables weak ciphers but still provides the majority of clients to connect. It will disable XP users running IE 6 though along with Java 6. However, this shouldn't be a real problem for anyone anymore I feel. If you're running XP and connecting to the internet with IE 6, you probably should upgrade. The more websites that drop support for IE 6, the better, especially seeing how IE 8 can be installed in Windows XP now.

    ========================
    Enable HTTP Strict Transport Protocol
    ========================
    Log into your server via SSH, run su to become root, copy ssl_vhost.default to ssl_vhost.local and use your favorite text editor to edit the ssl_vhost.local file.

    Code:
    su
    cp -p /var/cpanel/templates/apache2_4/ssl_vhost.default /var/cpanel/templates/apache2_4/ssl_vhost.local
    nano -w /var/cpanel/templates/apache2_4/ssl_vhost.local
    
    The cp program copies the file, the -p option tells cp to preserve permissions on the new file. The -w that I passed to nano tells nano not to wrap long lines.

    Inside ssl_vhost.local, the very first line should be something like:
    Code:
    <VirtualHost[% FOREACH ipblock IN vhost.ips %] [% ipblock.ip %]:[% ipblock.port %][% END %]>
    
    Directly under that add the following text:
    Code:
      # Enable HTTP Strict Transport Security
      Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    
    So, the first three lines of that file should now look something like this:
    Code:
    <VirtualHost[% FOREACH ipblock IN vhost.ips %] [% ipblock.ip %]:[% ipblock.port %][% END %]>
      # Enable HTTP Strict Transport Security
      Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    
    Save that file (if you're in nano, hit CTRL-X and then hit enter to accept the default file name, ssl_vhost.local).

    ========================
    Enable Forward Secrecy
    ========================
    The next part that's important is telling Apache to honor the cipher list order. Copying main.default to main.local and modify main.local.
    Code:
    cp -p /var/cpanel/templates/apache2_4/main.default /var/cpanel/templates/apache2_4/main.local
    nano -w /var/cpanel/templates/apache2_4/main.local
    
    In this file, we're looking for the following line:
    Code:
    [% IF main.sslprotocol.item.sslprotocol.length %]SSLProtocol [% main.sslprotocol.item.sslprotocol %][% END %]
    
    If you're using nano, you can just hit CTRL-W, copy and then paste that text in search field and then hit enter to search for it. Once you find it, directly under that add the following text::
    Code:
    SSLHonorCipherOrder on
    
    So, in the end, the main.local file should look like this:
    Code:
    [% IF main.sslprotocol.item.sslprotocol.length %]SSLProtocol [% main.sslprotocol.item.sslprotocol %][% END %]
    SSLHonorCipherOrder on
    
    Save the file (if in nano, just hit ctrl-x and then enter to save as the default name (main.local).

    Restart apache:
    Code:
    service httpd restart
    


    ========================
    Whitelist SSL Labs in csf / lfd
    ========================
    If you're running something like csf / lfd, you're going to want to whitelist Qualys SSL Lab's servers so they don't get blocked. I did this by adding the following entry to /etc/csf/csf.ignore

    Code:
    64.41.200.0/24 # SSL Lab's server (for scanning our SSL certs)
    
    Keep in mind, this will whitelist all IP addresses from 64.41.200.1 to 64.41.200.255. You can remove the line afterwards if you'd like. You might need to restart csf / lfd in order for the changes to take affect.

    ========================
    Test your SSL certificates
    ========================

    By going to SSL Server Test (Powered by Qualys SSL Labs) you can verify that HSTS and / or Forward Secrecy are both enabled.

    Enter your domain name and if you don't want your results posted publically, make sure you check the little box that says Do not show the results on the boards.

    If you did everything correctly, you should NOT get the warning at the top of the results saying Forward Secrecy is not enabled and you should see a green bar that now says: HTTP Strict Transport Security (HSTS) with long duration deployed on this server. You can also search the page for the words Forward Secrecy and you should see something that says: Yes (with most browsers) ROBUST

    The only reason it doesn't say with all browsers is because for compatibility with certain browsers, we allow weaker ciphers. SSL Labs shows a list of clients that it tries connecting with and their versions. IE 8 for XP does not support Forward Secrecy, at least not by default. I didn't want to disable TLSv1.0 and lose support for XP people so I left that protocol enabled.



    Could you tell me why there isn't an option for HSTS and why there's no option to honor the cipher list order? If there were an option for HSTS, there should also be an option for the max-age value. That max age value should be set to 6 months or higher.

    Thanks!
     
  5. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    One thing to note is that if you follow these directions to enable Forward Secrecy, because of the cipher suite I picked, your server is NOT mitigating BEAST attacks. There are only two ways that I know of to prevent BEAST attacks.

    1) Only support SSL / TLS protocols TLSv1.1 and TLSv1.2. Remove support for TLSv1.0, SSL2, and SSL3.
    2) Enable RC4 for an SSL cipher.

    For 1) I didn't feel enough clients supported TLSv1.1 and TLSv1.2. I felt a good majority still supported only TLSv1.

    For 2) I didn't feel RC4 was strong enough.

    BEAST has been pretty much dealt with on the client side now. Unless a person is using an extremely old client, it cannot be used to gain data. So hackers would only be able to grab data from users using really, really outdated browsers. I felt leaving TLSv1.0 enabled outweighed the small chance that someone was still vulnerable to BEAST. Remember also, BEAST isn't a very easy exploit to use. If the user is using an old client, I'm sure there's easier exploits a hacker could use instead of BEAST.

    If someone smarter than me was to come along, I bet they might be able to find a better cipher list or a better order for those ciphers. I haven't played around too much with the cipher list / order but if I get some time, I might. Just a thought.
     
  6. Spork Schivago

    Spork Schivago Well-Known Member

    Joined:
    Jan 21, 2016
    Messages:
    294
    Likes Received:
    25
    Trophy Points:
    28
    Location:
    corning, ny
    cPanel Access Level:
    Website Owner
    I can't seem to edit my post now but I did forget to tell people to rebuild the Apache conf file. This should be before you restart Apache but after you finish editing all the files. You do this by running:
    Code:
    /scripts/rebuildhttpdconf
    
    There was a new version of cPanel released the other day, v56.0.28. When I ran EasyApache 3, there were error messages with some of my .local files. So what I did was delete the main.local and ssl_vhost.local and then I copied main.default to main.local and ssl_vhost.default to ssl_vhost.local and made the changes to the two files again. This fixed the error messages with EasyApache 3
     
    bitlabs likes this.
  7. Bigwebmaster

    Bigwebmaster Member

    Joined:
    Dec 3, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    1
    Did you have any issues with main.local's changes being honored? When I add ssl_vhost.local I can see those changes make it to httpd.conf after running rebuildhttpconf, however, none of the changes in main.local seem to be utilized. In fact if I edit main.default as a test and then run /scripts/rebuildhttpconf those don't seem to be coming through either. Using EasyApache 4 too, not EasyApache 3.
     
  8. Bigwebmaster

    Bigwebmaster Member

    Joined:
    Dec 3, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    1
    Nevermind, figured it out. I couldn't find any documentation on it, but if you are using EasyApache 4 and you look at the directory:

    /var/cpanel/templates/apache2_4

    besides having main.default, there is also a new file:

    ea4_main.default

    That is the one actually being utilized, main.default must be for EasyApache 3. Once I made the changes in ea4_main.default and then ran:

    /scripts/rebuildhttpdconf

    Everything was correctly placed in:

    /etc/apache2/conf/httpd.conf

    Hope this helps someone in the future :)
     
    #8 Bigwebmaster, Sep 9, 2016
    Last edited: Sep 9, 2016
  9. TB_Bison

    TB_Bison Registered

    Joined:
    Sep 29, 2016
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    Firstly a huge thank you to Spork Schivago for a very helpful and informative step by step on this. And Bigwebmaster for the extra information for those of us who've been silly / brave enough to make the leap to EA4.

    I really think that with such a big issue on internet security that this should be way easier. I really don't like hacking my way round these issues as often changes made are simply overwritten at the next update and you end up with bigger problems when you think you're covered.

    The beauty of WHM /cPanel is meant to be that people without this in-depth level of knowledge (like me) can keep updated and protect themselves easily - that's what you pay for. I know versions and revisions take a long time in the pipeline but we have known about the direction SSL is going in for years and WHM are often so slow to take up the reins on relatively small changes.

    In this file it says:
    DO NOT EDIT. AUTOMATICALLY GENERATED. USE INCLUDE FILES IF YOU NEED TO MAKE A CHANGE

    So would you copy this as suggested for the ea3 guidance?

    It says to use include file `pre_main_global.conf`however there are many to choose from on the system:

    /home/virtfs/USER/usr/local/apache.ea3/conf_pre_ea3/includes/pre_main_global.conf
    /home/virtfs/USER/usr/local/apache.ea3/conf/includes/pre_main_global.conf
    /home/virtfs/USER/etc/apache2/conf.d/includes/pre_main_global.conf
    /root/backup/conf/includes/pre_main_global.conf
    /usr/local/apache.ea3/conf_pre_ea3/includes/pre_main_global.conf
    /usr/local/apache.ea3/conf/includes/pre_main_global.conf
    /etc/apache2/conf.d/includes/pre_main_global.conf
     
    #9 TB_Bison, Sep 29, 2016
    Last edited: Sep 29, 2016
  10. TB_Bison

    TB_Bison Registered

    Joined:
    Sep 29, 2016
    Messages:
    2
    Likes Received:
    1
    Trophy Points:
    1
    Location:
    London
    cPanel Access Level:
    Root Administrator
    What I have done which has seemed to work is navigate to:

    /etc/apache2/conf.d/includes/pre_main_gloobal.conf

    mine was blank so I simply added:

    Code:
    # Enable HTTP Strict Transport Security
    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
    
    SSLHonorCipherOrder on
    
    This should also mean that there is no overwriting with future updates. This got the A+ rating on SSL Labs
     
    cPanelMichael likes this.
  11. Bigwebmaster

    Bigwebmaster Member

    Joined:
    Dec 3, 2003
    Messages:
    23
    Likes Received:
    1
    Trophy Points:
    1
    Also I realized above I didn't mention using:

    ea4_main.local

    I copied ea4_main.default to ea4_main.local and then made the changes to the local version. The default will probably be overwritten during updates.

    Remember these are the templates that get used to actually create:

    /etc/httpd/conf/httpd.conf

    So the purpose of that automatically generated message is for it to be passed to the generated httpd.conf. These templates themselves, if using the .local version aren't automatically generated.

    For the Enable HTTP Strict Transport Security, I put that directly in:

    ea4_main.local

    You might be able to find a way to get the includes to work for this too, but just remember that this is the template that is used to generate the output. I even updated my template to include more information at the top:

    Code:
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
    #
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    #   DO NOT EDIT. AUTOMATICALLY GENERATED.  USE INCLUDE FILES IF YOU NEED TO MAKE A CHANGE
    #   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    #
    #   Direct modifications to the Apache configuration file WILL be lost upon subsequent
    #   regeneration of this configuration file, or an Apache update.
    #
    #   To have your modifications retained, you should create/edit administrator-specific
    #   include files:
    #
    #       [% paths.dir_conf_includes %]/pre_main_global.conf
    #       [% paths.dir_conf_includes %]/pre_virtualhost_global.conf
    #       [% paths.dir_conf_includes %]/post_virtualhost_global.conf
    #
    #   Edit templates used to create this file at:
    #
    #   /var/cpanel/templates/apache2_4
    #
    #   To see if whatever changes you make show up at:
    #
    #   /etc/httpd/conf/httpd.conf
    #
    #   Run the following:
    #
    #   /scripts/rebuildhttpdconf
    #
    # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
     
    cPanelMichael likes this.
  12. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    We do offer a document on PCI compliance at:

    PCI Compliance and Software Versions - cPanel Knowledge Base - cPanel Documentation

    However, to your point, I suggest voting and adding feedback to the following feature request:

    Unify PCI Compliance options on one screen

    This suggest a single interface to manage all PCI compliance settings.

    Thank you.
     
  13. 0884094

    0884094 Member

    Joined:
    Nov 14, 2013
    Messages:
    7
    Likes Received:
    2
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thanks everyone for these tips. I was able to get an A+ rating from ssllabs by using these simplified steps:

    At Home / Service Configuration / Apache Configuration / Global Configuration, I set:

    SSL Cipher Suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    (as per Spork's suggestion)

    SSL/TLS Protocols: All -SSLv2 -SSLv3 -TLSv1
    (for my limited audience, I chose to disable TLSv1.0 but maybe not right choice for big public websites yet)

    Then at Home / Service Configuration / Apache Configuration / Include Editor, I edited Pre Main Include (All Versions) and pasted these two lines:

    Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
    SSLHonorCipherOrder on

    I then rebuilt Apache and I'm getting A+ ratings. Note that I have a mix of always-SSL and never-SSL websites hosted on my server, and they all continue to work fine. The header Strict-Transport-Security is even returned on my never-SSL websites, which doesn't seem right, but the docs at Wikipedia say it is always ignored on non-SSL responses and that matches my experience so far. ssllabs shows the header being returned/recognized on my SSL websites.

    This blog post from last year also suggests editing Pre Main Include ( Getting an A+ on SSL Labs test in on all cPanel domains in 5 minutes - kris.io : virtualization & cloud ) rather than directly editing conf files. I mention this since it's easier to edit Pre Main Include and it might persist better & avoid closing you off from future updates to the core conf templates.
     
    cPanelMichael likes this.
Loading...

Share This Page