SSL configuration security improvements

[shacker23]

One of my users recently sent me the following email. I generally think of cPanel as being extremely battle-hardened, and in a constant process of fine-tuning security. Therefore I was surprised to see that cPanel systems only get a grade of "C" by default. I'm in general reluctant to take on the technical debt of averring from cPanel defaults. So my question is, should I take his message seriously enough to start digging in and making deep changes to get a better SSL grade? What do you guys do - live with the default setup, or tweak these things? Thanks.

... one other thing I've been thinking about: improving the SSL/TLS
at your server. For example, this is a great SSL configuration
evaluation tool:

https://www.ssllabs.com/ssltest/analyze.html?d=josephhall.org&hideResults=on

I get a "C". :/ And it points out that if the web server supported TLS
1.1 and 1.2 and forward secrecy, it would improve things quite a bit.

I suspect this just enabling TLS 1.1 in Apache configs and then
specifying cipher suites by listing forwardly secret ones first:

https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy
https://community.qualys.com/blogs/...-apache-nginx-and-openssl-for-forward-secrecy

and he follows up with:

It does seem pretty easy to do... e.g., in Apache's
httpd, the attached cookbook (which is quite good) suggests the
following (p. 30):

SSLHonorCipherOrder On
SSLCipherSuite "kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL
!eNULL !LOW !3DES !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA"

which ensures that strong, fast ciphers are chosen first.

 

[cPanelMichael]

Hello

I just wanted to note that it's possible to modify the default entry for "SSL Cipher Suite" via:

"WHM Home » Service Configuration » Apache Configuration » Global Configuration"

This thread may also be of interest:

cPanel and OpenSSL 1.0.1c (or higher)

Thank you.