Question
Is it safe to replace Dovecot/Exim with versions that include OpenSSL 1.1.1i statically compiled? Is there any plan/ETA to add TLS 1.3 to every service?
Answer
cPanel added support for TLS 1.3 in version 86. Utilizing TLS 1.3 for services requires that the OpenSSL version is greater than 1.1.x. Most of cPanel's services, like Exim, Dovecot, and cpsrvd, are linked to the OpenSSL version provided by the operating system. Centos 7 servers use an older OpenSSL, which doesn't support TLS 1.3.
Until the Operating system supports TLS 1.3, the highest TLS that can be used for these services is TLS 1.2. If TLS 1.3 is required for all services, it may be best to migrate to AlmaLinux/CloudLinux 8 or above. These servers support OpenSSL TLS 1.3 by default, which would address the concern.
Please do not try to upgrade the OpenSSL manually, as this can cause unexpected issues. It is best to migrate to a system that already supports the required OpenSSL version.
Comments
0 comments
Article is closed for comments.