You see an error when adding an SSL cipher suite such as TLS_AES_256_GCM_SHA384 to Apache.
When trying to save your changes in WHM » Service Configuration » Apache Configuration » Global Configuration, you see an error at the bottom of the next page before rebuilding and restarting Apache, for example:
The following settings are invalid and were rejected:
- sslciphersuite: TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
This issue occurs because one or more of the cipher suites that you've attempted to enable are not supported by the TLS version(s) that are set on the same page.
Either enable the TLS version that supports the cipher suites or do not use cipher suites that are not supported.
The following command lists the supported cipher suites for each TLS version:
[root@server]# /opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_3
Replace tls1_3 with the corresponding TLS version, such as the following for TLS 1.2:
/opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_2
For example, to enable the cipher suite TLS_AES_256_GCM_SHA384 to be valid, enter the following in the SSL/TLS Protocols section: