SSL configuration security improvements

shacker23

Well-Known Member
Feb 20, 2005
263
1
168
One of my users recently sent me the following email. I generally think of cPanel as being extremely battle-hardened, and in a constant process of fine-tuning security. Therefore I was surprised to see that cPanel systems only get a grade of "C" by default. I'm in general reluctant to take on the technical debt of averring from cPanel defaults. So my question is, should I take his message seriously enough to start digging in and making deep changes to get a better SSL grade? What do you guys do - live with the default setup, or tweak these things? Thanks.

... one other thing I've been thinking about: improving the SSL/TLS
at your server. For example, this is a great SSL configuration
evaluation tool:

https://www.ssllabs.com/ssltest/analyze.html?d=josephhall.org&hideResults=on

I get a "C". :/ And it points out that if the web server supported TLS
1.1 and 1.2 and forward secrecy, it would improve things quite a bit.

I suspect this just enabling TLS 1.1 in Apache configs and then
specifying cipher suites by listing forwardly secret ones first:

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
https://community.qualys.com/blogs/...-apache-nginx-and-openssl-for-forward-secrecy
and he follows up with:

It does seem pretty easy to do... e.g., in Apache's
httpd, the attached cookbook (which is quite good) suggests the
following (p. 30):

SSLHonorCipherOrder On
SSLCipherSuite "kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL
!eNULL !LOW !3DES !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA"

which ensures that strong, fast ciphers are chosen first.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,913
2,201
363
Hello :)

I just wanted to note that it's possible to modify the default entry for "SSL Cipher Suite" via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

This thread may also be of interest:

cPanel and OpenSSL 1.0.1c (or higher)

Thank you.