The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Thought was SSL prob but provider says Apache config?

Discussion in 'EasyApache' started by PhoenixUK, Sep 28, 2015.

  1. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi All,

    I've read through the forums and many G Search results for this but there's nothing relatively recent, taking in to account the various negative press articles about SSL/TLS and so forth.

    My VPS has an SSL installed, I'm getting the green padlock in Chrome etc at first glance but when I click the padlock it says that it is using an 'obsolete' cipher suite *please see screenshot*

    20150929_012407.jpg

    Also, when checking the VPS SSL cert etc in Firefox, it says the following (at the bottom of the screenshot)

    20150929_012432.jpg

    For e.g.

    My mail-server configuration is set-up currently to use;

    Cipher Suite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    Protocols: !SSLv2 !SSLv3

    There's no mention of TLS in the above, so I'm unsure what I am missing / doing wrong here.

    Therefore, can somebody kindly share what is the latest and safest cipher suite and relevant protocols for me to use for my VPS as a whole please, (All 4 services) it would be very much appreciated and put me out of my misery.

    Regards,
     
  2. acenetgeorge

    acenetgeorge Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2008
    Messages:
    64
    Likes Received:
    2
    Trophy Points:
    8
    Location:
    Southfield, MI
    cPanel Access Level:
    DataCenter Provider
    We had a cipher suite recommended by cpanel a couple of months ago, to fix a lot of browser issues. This needs to be changed in the following locations in WHM

    1) Apache General Config
    2) Mailserver Config
    3) cPanel Web services Config
    4) Exim Advanced Configuration Editor (tls_require_ciphers)
    5) cPanel Web Disk Config

    The cipher suite is as follows (all one line):
    Code:
    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH
    
    
    Once you have those changed, you can test a domain name with an SSL on that particular using the following:

    https://www.ssllabs.com/ssltest/index.html
     
    #2 acenetgeorge, Sep 29, 2015
    Last edited by a moderator: Sep 30, 2015
  3. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi All,

    I just sent this following email to my SSL provider;

    They then replied with the following;

    So my question is, what is the safest current Cipher Suite to select in Apache and the best Protocol and that will get rid of Google Chrome for e.g. saying it's private but using an obsolete cipher suite.

    My current cipher suite is selected as: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

    Current protocol selected as: All -SSLv2 -SSLv3 default

    I hope to hear from somebody in due course and I can hopefully nail this issue once and for all. :)

    Regards,
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,460
    Likes Received:
    195
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  5. Jcats

    Jcats Well-Known Member

    Joined:
    May 25, 2011
    Messages:
    275
    Likes Received:
    31
    Trophy Points:
    28
    Location:
    New Jersey
    cPanel Access Level:
    DataCenter Provider
  6. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
  7. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Jcats likes this.
  8. PhoenixUK

    PhoenixUK Member

    Joined:
    Sep 15, 2013
    Messages:
    21
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hi There,

    Thanks for this information, it's much appreciated. Unbeknown to me and my memory, I'd posted this one you have replied to and a few days later, posted totally innocently another topic about the same issue - My bad.

    Anyway, may I ask what cipher protocol are you using with the above suite please?

    Also, can I safely enter the above suite in ALL of the above mentioned services and not see any negative impact?

    Thanks and I look forward to hearing from you in due course.

    Regards,
     

Share This Page