The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OCSP stapling, Apache 2.4 & SPDY

Discussion in 'Security' started by baritoneuk, Sep 8, 2014.

  1. baritoneuk

    baritoneuk Member

    Joined:
    Jul 6, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Hi.

    I'm very much a security novice and I don't manage my server myself (we have a fab hosting company who does most of the work), however I want to understand this a bit better.

    I am wanting to enhance the encryption on the websites on our server. I read a great article on moving a website to fully SSL by Yoast which went through recommended settings in order to get a grade A+ on SSLLabs.

    1) I want to enable OCSP stapling as in this article. In the article by Yoast, he says:

    In order to enable OCSP stapling, you need Apache 2.3.3 and later plus OpenSSL 0.9.8h. Does cPanel work with Apache 2.3 or 2.4?

    2) I'd like to offer full support for "SPDY". When using the checker at spdycheck.org it said the NPN Extension was missing in the SSL/TLS Handshake. Does cPanel work with the NPN Extension and full support with SPDY?

    3) The cypher suites that are used in WHM (at least in our installation) seem not be the best. Yoast uses the following:
    Code:
    ssl_prefer_server_ciphers On;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    Steve Gibson (of GRC and Security Now) seems to be using very similar one. How do I go about enhancing this?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,762
    Likes Received:
    662
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    1. Yes, Apache 2.4 is available through EasyApache:

    /scripts/easyapache

    Or;

    "WHM Home » Software » EasyApache (Apache Update)"

    2. SPDY support is not currently offered. You can review the reasons why on it's feature request page:

    mod_spdy | cPanel Feature Requests

    3. This is configurable with the "SSL Cipher Suite" option in:

    "WHM Home » Service Configuration » Apache Configuration » Global Configuration"

    Thank you.
     
  3. baritoneuk

    baritoneuk Member

    Joined:
    Jul 6, 2010
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanks, I'll chat with my host about Apache 2.4

    That's a shame, but I understand that enabling it would have not good security implications. I do hope this can be sorted out in the future.

    Thanks- I have added the ciphers and we now have A+ ratings (via SSLlabs) across all our SSL websites. They even have perfect forward secrecy enabled which was expecting not to happen (as I had seen issues with other cPanel customers).

    :)
     
  4. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
  5. Foro Pentaxeros

    Foro Pentaxeros Registered

    Joined:
    Sep 13, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Madrid, Spain
    cPanel Access Level:
    Root Administrator
    Hello !, I also hope that soon we can see SPDY integrated CPANEL

    I have opened a new request:
    - Removed -

    You have any idea when it would be possible?
     
    #5 Foro Pentaxeros, Sep 13, 2014
    Last edited by a moderator: Sep 14, 2014
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,465
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I've removed your link to the Feature Request you posted. It's in moderated mode and will likely be rejected because there is already a similar Feature Request for mod_spdy in play already with over 80 votes. It also has an Official Response made as well.

    You can find and vote for it, here:
    mod_spdy - cPanel Feature Requests

    Please feel free to add your comments and those links you provided in yours, to this one instead.

    Thanks!
     
Loading...
Similar Threads - OCSP stapling Apache
  1. vicos
    Replies:
    8
    Views:
    4,942

Share This Page