One of my users recently sent me the following email. I generally think of cPanel as being extremely battle-hardened, and in a constant process of fine-tuning security. Therefore I was surprised to see that cPanel systems only get a grade of "C" by default. I'm in general reluctant to take on the technical debt of averring from cPanel defaults. So my question is, should I take his message seriously enough to start digging in and making deep changes to get a better SSL grade? What do you guys do - live with the default setup, or tweak these things? Thanks.
and he follows up with:... one other thing I've been thinking about: improving the SSL/TLS
at your server. For example, this is a great SSL configuration
I get a "C". :/ And it points out that if the web server supported TLS
1.1 and 1.2 and forward secrecy, it would improve things quite a bit.
I suspect this just enabling TLS 1.1 in Apache configs and then
specifying cipher suites by listing forwardly secret ones first:
It does seem pretty easy to do... e.g., in Apache's
httpd, the attached cookbook (which is quite good) suggests the
following (p. 30):
SSLCipherSuite "kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL
!eNULL !LOW !3DES !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA"
which ensures that strong, fast ciphers are chosen first.