How to disable anonymous (insecure) suites ? Ref: SSLLABS

[chuman]

I have Installed a SSL Certificate for Cpanel/WHM it's installed correctly when checking at ssllabs.com/ssltest I get the following error :

This server supports anonymous (insecure) suites (see below for details). Grade set to F.

TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE	128
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE	128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE	112
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE	256
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)   INSECURE	128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)   INSECURE	112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)   INSECURE	128
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)   INSECURE	256

Kindly help me how to resolve this. Thank you in advance.

 

[cPanelMichael]

Hello

You can browse to the following option in Web Host Manager:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

Thank you.

 

[chuman]

Sir,

Thank you very very much for your kind support. Now it's a A-, I can still acheive A+ but by enabling forward secrecy.
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-
I found this topic http://forums.cpanel.net/f402/updat...em-files-php5-curlssl-apache2-4-x-371221.html

but since am not totally familiar kindly help.

Thank you in advance.

 

[cPanelMichael]

There is a feature request for this at:

Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login | cPanel Feature Requests

However, in the meantime, some users report success using a custom workaround at the following third-party URL:

Perfect Forward Secrecy with Apache 2.2 on a cPanel Server | cPanel Server Management

Thank you.

 

[chuman]

Thank you very much for the information Sir.

 

[MaraBlue]

Hello

You can browse to the following option in Web Host Manager:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

Thank you.

Michael, when I change the ciphersuite to this (copied exactly as above) I get the following error:

The following settings are invalid and were rejected:

	* sslciphersuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

Has something changed in the last couple of months? cPanel v 11.44.1.18.

 

[cPanelMichael]

I have not been able to reproduce that error message. Do you have any other customizations to Apache?

Thank you.

 

[MaraBlue]

It's a pretty standard, vanilla hosting install.

 

[cPanelMichael]

Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[goodmove]

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

Can this be replicated for other services such as cpsrvd, cpdavd and dovecot?

 

[cPanelMichael]

Please see the following document on how to update cipher protocols on other services:

How to Adjust Cipher Protocols

Additional discussions about this are found on the following thread:

Adjusting Cipher Protocols

Thank you.

 

[vlee]

After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

All welcome to use this.

 

[ispro]

After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

All welcome to use this.

Thank you for sharing! Now I have A- rating and only thing missed is Forward Security:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

How was you able to get A+ on cPanel server? Thank you once more!

 

[vlee]

Thank you for sharing! Now I have A- rating and only thing missed is Forward Security:
The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

How was you able to get A+ on cPanel server? Thank you once more!

Go to in WHM Home »Service Configuration »Apache Configuration »Include Editor

Then in I wish to edit the Pre Main configuration include file for: Select All Versions

Put this below in it

Header add Strict-Transport-Security “max-age=31536000″
SSLHonorCipherOrder On
SSLCompression off

Then click on Update button

That is it and should be able to get A+ now

 

[ispro]

Yes, it works. Thank you for a help!

 

[garconcn]

Go to in WHM Home »Service Configuration »Apache Configuration »Include Editor

Then in I wish to edit the Pre Main configuration include file for: Select All Versions

Put this below in it

Header add Strict-Transport-Security “max-age=31536000″
SSLHonorCipherOrder On
SSLCompression off

Then click on Update button

That is it and should be able to get A+ now

Thank you. Now I got A+ rating.

 

[Greyscout]

A+ for the first time! Awesome. Thank you vlee!

 

[autumnwalker123]

I followed the instructions here after updating my cPanel install and removed

SSLHonorCipherOrder On
SSLProtocol +All -SSLv2 -SSLv3

from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE.

Thoughts?

 

[cPanelMichael]

from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE.

I've moved your post to this thread, so you can try some of the solutions here. Let us know if it does not help.

Thank you.

 

[postcd]

Hello, i have WHM 11.50

In Apache configuration i have SSL cipher:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH (PCI recommended)

SSL/TLS Protocols:
All -SSLv2 -SSLv3 default

but when i check my site on https://sslanalyzer.comodoca.com or on https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp

it says:
Protocols enabled:
TLS1.2
TLS1.1
TLS1.0
Protocols not enabled:
SSLv3
SSLv2

https://www.ssllabs.com/ssltest/ says:
"Assessment failed: No secure protocols supported"

is it correct? Any steps to correct if its an issue? Thank you

----
Update: this topic was helpfull, i used cipher suite and apache rules adviced by member vlee. But still im getting these notices:
Protocols not enabled:
SSLv3
SSLv2