Question
I used an SSL server testing tool, and the report said my server does not support Forward Secrecy. How can I update my SSL Cipher Suite to support Forward Secrecy?
Answer
As described in the official Apache documentation, your server must have perfect Forward Secrecy to ensure that even if your server's private key is compromised, no prior communications are exposed.
Apache HTTP Server Project - SSL/TLS Strong Encryption: How-To
Generally, enabling Forward Secrecy is simply using an SSL/TLS Cipher Suite that supports it. The default Apache configuration for a cPanel server utilizes a Cipher Suite that supports Forward Secrecy. It is the same Cipher Suite provided in the official Apache documentation on the page I linked above.
However, older servers and servers that have been customized may no longer support Forward Secrecy. If you need to update your Apache configuration, you can do so via the interface in WHM at "Home / Service Configuration / Apache Configuration / Global Configuration."
cPanel Docs: Apache Global Configuration
Additional Information
The following 3rd party resources provide great examples of SSL/TLS Cipher Suites that support Forward Secrecy:
Mozilla Wiki: Security/Server Side TLS
SSL Labs - SSL and TLS Deployment Best Practices: Use Secure Cipher Suites
Comments
0 comments
Article is closed for comments.