This guide will work through minor revisions of Apache 2.4.x and php5.x tree updates. May need to be updated for future major revisions but should generally work the same.
First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.
This will install openssl to /usr/local/ssl.
Now we need to precompile curlssl
That will install curl to /opt/curlssl
Now we need to configure EasyApache to use what we've done.
Here we need to create two files.
open all_php5 in an editor and place this inside
Open Apache2_4 in an editor and place this inside
For perfect forwarding secrecy and high encryption ratings follow this next step to save yourself a step later
Now in WHM goto EasyApache, Select build from current profile or choose any options you wanna add, build your server, restart apache, and boom. TLS 1.2 that'll survive updates, and passes security testing.
Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
First we need to compile our own openssl. I do all my building in /home/compile you can do yours wherever though.
Code:
wget 'http://www.openssl.org/source/openssl-1.0.1e.tar.gz'
tar -zxf openssl-1.0.1e.tar.gz
cd openssl-1.0.1e
./config shared -fPIC
make
make install
Now we need to precompile curlssl
Code:
rm -rf /opt/curlssl
wget 'http://curl.haxx.se/download/curl-7.33.0.tar.gz'
tar -zxf curl-7.33.0.tar.gz
cd curl-7.33.0
./configure \
--prefix=/opt/curlssl \
--with-ssl=/usr/local/ssl \
--enable-http \
--enable-ftp \
LDFLAGS=-L/usr/local/ssl/lib \
CPPFLAGS=-I/usr/local/ssl/include
make
make install
Now we need to configure EasyApache to use what we've done.
Code:
cd /var/cpanel/easy/apache/rawopts
Code:
touch all_php5
touch Apache2_4
Code:
--enable-ssl
--with-ssl=/usr/local/ssl
--with-curl=/opt/curlssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
Code:
--with-ssl=/usr/local/ssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include
- Login to your WHM
- Choose Apache Configuration from the left
- Choose include editor
- Under Pre VirtualHost Include choose all versions and place the following code in the box.
Code:
SSLProtocol -SSLv2 +TLSv1.2 +TLSv1.1 +TLSv1 +SSLv3
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA
Example of a test against a server on this setup - https://www.ssllabs.com/ssltest/analyze.html?d=rootswitch.com
Last edited: