The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to disable anonymous (insecure) suites ? Ref: SSLLABS

Discussion in 'Security' started by chuman, Aug 16, 2014.

  1. chuman

    chuman Member

    Joined:
    Aug 6, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    I have Installed a SSL Certificate for Cpanel/WHM it's installed correctly when checking at ssllabs.com/ssltest I get the following error :

    This server supports anonymous (insecure) suites (see below for details). Grade set to F.

    Code:
    TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE	128
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE	128
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE	112
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE	256
    TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE	128
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE	112
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE	128
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE	256
    Kindly help me how to resolve this. Thank you in advance.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    You can browse to the following option in Web Host Manager:

    "WHM Home » Service Configuration » Apache Configuration » Global Configuration"

    Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers:

    Code:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    Thank you.
     
    postcd likes this.
  3. chuman

    chuman Member

    Joined:
    Aug 6, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  5. chuman

    chuman Member

    Joined:
    Aug 6, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thank you very much for the information Sir.
     
  6. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Michael, when I change the ciphersuite to this (copied exactly as above) I get the following error:

    Code:
    The following settings are invalid and were rejected:
    
    	* sslciphersuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    
    
    Has something changed in the last couple of months? cPanel v 11.44.1.18.
     
  7. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  8. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    335
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    It's a pretty standard, vanilla hosting install.
     
  9. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  10. goodmove

    goodmove Well-Known Member

    Joined:
    May 12, 2003
    Messages:
    624
    Likes Received:
    0
    Trophy Points:
    16
    Can this be replicated for other services such as cpsrvd, cpdavd and dovecot?
     
  11. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  12. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS

    Code:
    
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    
    
    All welcome to use this.
     
    postcd and Greyscout like this.
  13. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Thank you for sharing! Now I have A- rating and only thing missed is Forward Security:
    The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

    How was you able to get A+ on cPanel server? Thank you once more!
     
  14. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Go to in WHM Home »Service Configuration »Apache Configuration »Include Editor

    Then in I wish to edit the Pre Main configuration include file for: Select All Versions

    Put this below in it

    Code:
    
    Header add Strict-Transport-Security “max-age=31536000″
    SSLHonorCipherOrder On
    SSLCompression off
    
    
    Then click on Update button

    That is it and should be able to get A+ now
     
    postcd and Greyscout like this.
  15. ispro

    ispro Well-Known Member

    Joined:
    Apr 8, 2004
    Messages:
    628
    Likes Received:
    1
    Trophy Points:
    18
    Yes, it works. Thank you for a help!
     
  16. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    98
    Likes Received:
    1
    Trophy Points:
    8
    Thank you. Now I got A+ rating.
     
  17. Greyscout

    Greyscout Member

    Joined:
    Feb 19, 2015
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    A+ for the first time! Awesome. Thank you vlee!
     
  18. autumnwalker123

    autumnwalker123 Active Member

    Joined:
    Jan 19, 2014
    Messages:
    36
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I followed the instructions here after updating my cPanel install and removed

    SSLHonorCipherOrder On
    SSLProtocol +All -SSLv2 -SSLv3

    from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE.

    Thoughts?
     
  19. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    653
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I've moved your post to this thread, so you can try some of the solutions here. Let us know if it does not help.

    Thank you.
     
  20. postcd

    postcd Well-Known Member

    Joined:
    Oct 22, 2010
    Messages:
    620
    Likes Received:
    6
    Trophy Points:
    18
    Hello, i have WHM 11.50

    In Apache configuration i have SSL cipher:
    ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH (PCI recommended)

    SSL/TLS Protocols:
    All -SSLv2 -SSLv3 default

    but when i check my site on https://sslanalyzer.comodoca.com or on https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

    it says:
    Protocols enabled:
    TLS1.2
    TLS1.1
    TLS1.0
    Protocols not enabled:
    SSLv3
    SSLv2

    https://www.ssllabs.com/ssltest/ says:
    "Assessment failed: No secure protocols supported"

    is it correct? Any steps to correct if its an issue? Thank you

    ----
    Update: this topic was helpfull, i used cipher suite and apache rules adviced by member vlee. But still im getting these notices:
    Protocols not enabled:
    SSLv3
    SSLv2
     
    #20 postcd, Sep 17, 2015
    Last edited: Sep 17, 2015
Loading...

Share This Page