The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SSL Cipher Suite

Discussion in 'Security' started by dah5meuk, Aug 20, 2014.

  1. dah5meuk

    dah5meuk Registered

    Joined:
    Jun 26, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Hello

    I have installed a valid SSL certificate on my server and it works fine.

    One thing that puzzles me is, I have tweaked the SSL Cipher Suite under cPanel Web Services Configuration to allow 256-bit encryption and Google Chrome confirms this was successful.

    However, when I use the same cipher suite in Apache Configuration > Global Configuration > SSL Cipher Suite, the websites show as 128-bit encryption.

    Why is cPanel allowing a 256-bit encryption level for the software itself but not for the websites hosted by it?

    The cipher I'm using is...

    EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5

    cPanel/WHM Version: 11.44.1 (build 17)

    Any ideas on how I can fix this?


    Kind Regards

    David
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  3. dah5meuk

    dah5meuk Registered

    Joined:
    Jun 26, 2011
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Support Ticket has been raised and the ticket number is 5367565!
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, the user was advised to add the following entry in the /usr/local/apache/conf/includes/pre_virtualhost_2.conf file before restarting Apache:

    Code:
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on 
    Thank you.
     
  5. Kurieuo

    Kurieuo Well-Known Member

    Joined:
    Dec 13, 2002
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Just wondering.

    Is there a reason that cPanel doesn't include a cypher that can be selected to support the full 256-bit encryption in many SSL certificates? Why is the default at 128-bit?

    Thanks David for supplying your string. I've stolen it and tried it out, and all certificates are now running at 256-bit strength. ;)

    But, what am I missing? Why isn't support for higher encryption more common amongst web hosts? Are there any consequences for upgrading the cyphers to be 256-bit compatible? Is it more of a speed issue? Perhaps device incompatibilities or something?

    Many thanks! Kuri
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    This type of discussion is better suited towards our feature request system. Feel free to submit a feature request for native support or the default enabling of this option:

    Submit A Feature Request

    Thank you.
     
  7. Kurieuo

    Kurieuo Well-Known Member

    Joined:
    Dec 13, 2002
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    For anyone who wants to vote it in: - Removed -
     
    #7 Kurieuo, Sep 15, 2014
    Last edited by a moderator: Sep 16, 2014
  8. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,446
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  9. Kurieuo

    Kurieuo Well-Known Member

    Joined:
    Dec 13, 2002
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Your ticket doesn't add in support 256-bit encryption though?
     
  10. Kurieuo

    Kurieuo Well-Known Member

    Joined:
    Dec 13, 2002
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Australia
    Nevermind, I now realise that cipher availability depends upon OS and OpenSSL versions.

    My CloudLinux 5.1 with v0.9.8 just doesn't seem to pick up 256-bit encryption with the default cipher suite string. Sadly my versions also mean no TLS 1.1/1.2.

    https://www.ssllabs.com/ is a very helpful site.
     
  11. qdixon

    qdixon Registered

    Joined:
    Mar 23, 2010
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    This is the cipher I am using as of June 25th 2015 and it gives me A+:

    Code:
    ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!DH:!MD5:!PSK:!RC4
     
  12. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Information for everyone.

    Be careful on using custom ciphers for SSL's especially when using DNS Only Servers. Because some cipher lists can cause more problems than it is worth.

    For Web Servers and DNS Only Servers you need make you have reverse trust relationship between them. Some cipher cipher list will cause you more problems than it is worth, which I found about 3 days ago when I noticed that my DNS Only Servers could not connect to the Web Servers because I had the cipher below on my web servers.

    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    With the great work from Tristan and the rest of the cPanel support that worked on the issue was able to find out what was cause of the issue the cipher list above does not work when using DNS Only Servers.

    So I made a new cipher list based it off of the default cipher in cPanel and Tristan from cPanel tested it to make sure it worked for Web Servers and DNS Only Servers and it work fine with no issues.

    So feel free to use this cipher list below.

    Code:
    ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
     
    postcd likes this.
  13. Arcfives

    Arcfives Registered

    Joined:
    Jan 17, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    United States
    cPanel Access Level:
    Root Administrator

    I've tried to use your list and its comes back as invalid.
     
  14. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    648
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you provide more details about the specific error message you receive, and the method you used to update it?

    Thank you.
     
  15. JBF

    JBF Registered

    Joined:
    Sep 11, 2010
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    How did you change this on the DNS only server? I see no apache options in the GUI and the correct apache config file is difficult to locate as they are scattered all over the OS.
     
  16. vlee

    vlee Well-Known Member

    Joined:
    Oct 13, 2005
    Messages:
    272
    Likes Received:
    6
    Trophy Points:
    18
    Location:
    Las Vegas, Nevada, United Stat
    cPanel Access Level:
    Root Administrator
    Everything is handle on the Web Servers.

    The problem was when Web Servers and DNS Only was communicating with each other there was trust issues due cipher list on the Web Servers.

    I hope this helps.
     
Loading...

Share This Page