You might see an error when adding an SSL cipher suite to Apache such as "TLS_AES_256_GCM_SHA384".
When trying to save your changes in WHM »Service Configuration »Apache Configuration »Global Configuration, you see an error at the bottom of the next page before rebuilding and restarting Apache. For example:
The following settings are invalid and were rejected:
- sslciphersuite: TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
This issue occurs because one or more of the cipher suites that you've attempted to enable are not supported by the TLS version(s) that are set in the same page.
You will need to make sure that you enable the TLS version that supports the cipher suites as well, or not use cipher suites that are not supported.
You can use the following command to list the supported cipher suites for each TLS version:
# /opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_3
Replace "tls1_3" with the corresponding TLS version, such as the following for TLS 1.2:
/opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_2
So, for example, in order to allow the cipher suite "TLS_AES_256_GCM_SHA384" to be valid, enter the following for the "SSL/TLS Protocols" section: