The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recommendations for TLS implementation

Discussion in 'Security' started by dualmonitor, Nov 13, 2013.

  1. dualmonitor

    dualmonitor Active Member

    Joined:
    Dec 3, 2012
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Mozilla recently updated this page:

    https://wiki.mozilla.org/Security/Server_Side_TLS

    ...with details on optimal TLS implementation.

    I believe that currently cPanel users are not able to implement the most recent versions of TLS because of the outdated OpenSSL we are stuck with. (see http://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001-p2.html )

    That said, does anyone have any feelings about how should we modify the recommendations for Apache found on that page from Mozilla:

    Code:
    <VirtualHost *:443>
        ...
        SSLEngine on
        SSLCertificateFile      /path/to/signed_certificate
        SSLCertificateChainFile /path/to/intermediate_certificate
        SSLCertificateKeyFile   /path/to/private/key
        SSLCACertificateFile    /path/to/all_ca_certs
        SSLProtocol             all -SSLv2
        SSLCipherSuite          <recommended ciphersuite from top of this page>
        SSLHonorCipherOrder     on
        SSLCompression          off
    
        # OCSP Stapling, only in httpd 2.3.3 and later
        SSLUseStapling          on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        SSLStaplingCache        shmcb:/var/run/ocsp(128000)
     
        # Enable this if your want HSTS (recommended, but be careful)
        # Header add Strict-Transport-Security "max-age=15768000"
     
        ...
    </VirtualHost>
    I know HSTS is straightforward (and awesome). But I'm curious about the rest.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,854
    Likes Received:
    676
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I just wanted to note there is a workaround available at:

    Update cPanel TLS

    It's not something we directly support but you are welcome to explore using it if necessary.

    Thank you.
     
  3. robb3369

    robb3369 Well-Known Member

    Joined:
    Mar 1, 2008
    Messages:
    122
    Likes Received:
    0
    Trophy Points:
    16
    cPanel Access Level:
    Root Administrator
    Actually, we have cPanel 11.40.1 running on CloudLinux 6.5 with OpenSSL 1.0.1e-fips (but only at Apache 2.2.26), I've managed to get HSTS running (based on a single site) by adding using the templates covered here: Custom Templates

    Basically added the following snippet:
    Code:
    <IfModule mod_headers.c>
            # Use HTTP Strict Transport Security to force client to use secure connections only
            Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
    </IfModule>
    I used 6 months which is the min for SSLLabs.com testing... We scored a A+, the individual scores would be higher if we disabled support for older browsers like IE6 and 7, but we have users still using those. Once I get things wrapped up, I will post a full follow-up...
     

    Attached Files:

  4. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator

    I have did this below in the httpd.conf file. Thus I scored A-

    Code:
    
    SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
    
    
    Then I have this below as TLS/SSL Cipher List. I know this be improved and I welcome those who have a better TLS/SSL Cipher List to score at least a A+ without causing issues that may arise.

    Code:
    
    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
    
    
     
Loading...

Share This Page