Symptoms
You see an error when adding an SSL cipher suite such as TLS_AES_256_GCM_SHA384 to Apache.
When trying to save your changes in WHM » Service Configuration » Apache Configuration » Global Configuration, you see an error at the bottom of the next page before rebuilding and restarting Apache, for example:
The following settings are invalid and were rejected:
- sslciphersuite: TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Description
This issue occurs because one or more of the cipher suites that you've attempted to enable are not supported by the TLS version(s) that are set on the same page.
Workaround
Either enable the TLS version that supports the cipher suites or do not use cipher suites that are not supported.
The following command lists the supported cipher suites for each TLS version:
[root@server]# /opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_3
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
Replace tls1_3 with the corresponding TLS version, such as the following for TLS 1.2:
/opt/cpanel/ea-openssl11/bin/openssl ciphers -s -tls1_2
For example, to enable the cipher suite TLS_AES_256_GCM_SHA384 to be valid, enter the following in the SSL/TLS Protocols section:
+TLSv1.2 +TLSv1.3
Comments
0 comments
Article is closed for comments.