Recommendations for TLS implementation

dualmonitor

Active Member
Dec 3, 2012
31
0
6
cPanel Access Level
Root Administrator
Mozilla recently updated this page:

https://wiki.mozilla.org/Security/Server_Side_TLS

...with details on optimal TLS implementation.

I believe that currently cPanel users are not able to implement the most recent versions of TLS because of the outdated OpenSSL we are stuck with. (see http://forums.cpanel.net/f185/cpanel-openssl-1-0-1c-higher-332001-p2.html )

That said, does anyone have any feelings about how should we modify the recommendations for Apache found on that page from Mozilla:

Code:
<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate
    SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   /path/to/private/key
    SSLCACertificateFile    /path/to/all_ca_certs
    SSLProtocol             all -SSLv2
    SSLCipherSuite          <recommended ciphersuite from top of this page>
    SSLHonorCipherOrder     on
    SSLCompression          off

    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
 
    # Enable this if your want HSTS (recommended, but be careful)
    # Header add Strict-Transport-Security "max-age=15768000"
 
    ...
</VirtualHost>
I know HSTS is straightforward (and awesome). But I'm curious about the rest.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

I just wanted to note there is a workaround available at:

Update cPanel TLS

It's not something we directly support but you are welcome to explore using it if necessary.

Thank you.
 

robb3369

Well-Known Member
Mar 1, 2008
122
1
66
cPanel Access Level
Root Administrator
Actually, we have cPanel 11.40.1 running on CloudLinux 6.5 with OpenSSL 1.0.1e-fips (but only at Apache 2.2.26), I've managed to get HSTS running (based on a single site) by adding using the templates covered here: Custom Templates

Basically added the following snippet:
Code:
<IfModule mod_headers.c>
        # Use HTTP Strict Transport Security to force client to use secure connections only
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>
I used 6 months which is the min for SSLLabs.com testing... We scored a A+, the individual scores would be higher if we disabled support for older browsers like IE6 and 7, but we have users still using those. Once I get things wrapped up, I will post a full follow-up...
 

Attachments

vlee

Well-Known Member
Oct 13, 2005
374
26
178
Spokane, Washington
cPanel Access Level
Root Administrator
Actually, we have cPanel 11.40.1 running on CloudLinux 6.5 with OpenSSL 1.0.1e-fips (but only at Apache 2.2.26), I've managed to get HSTS running (based on a single site) by adding using the templates covered here: Custom Templates

Basically added the following snippet:
Code:
<IfModule mod_headers.c>
        # Use HTTP Strict Transport Security to force client to use secure connections only
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>
I used 6 months which is the min for SSLLabs.com testing... We scored a A+, the individual scores would be higher if we disabled support for older browsers like IE6 and 7, but we have users still using those. Once I get things wrapped up, I will post a full follow-up...

I have did this below in the httpd.conf file. Thus I scored A-

Code:
SSLProtocol -ALL +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
Then I have this below as TLS/SSL Cipher List. I know this be improved and I welcome those who have a better TLS/SSL Cipher List to score at least a A+ without causing issues that may arise.

Code:
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA