SSL configuration security improvements
One of my users recently sent me the following email. I generally think of cPanel as being extremely battle-hardened, and in a constant process of fine-tuning security. Therefore I was surprised to see that cPanel systems only get a grade of "C" by default. I'm in general reluctant to take on the technical debt of averring from cPanel defaults. So my question is, should I take his message seriously enough to start digging in and making deep changes to get a better SSL grade? What do you guys do - live with the default setup, or tweak these things? Thanks.
[QUOTE]... one other thing I've been thinking about: improving the SSL/TLS
at your server. For example, this is a great SSL configuration
evaluation tool:
and he follows up with: [QUOTE]It does seem pretty easy to do... e.g., in Apache's httpd, the attached cookbook (which is quite good) suggests the following (p. 30): SSLHonorCipherOrder On SSLCipherSuite "kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA" which ensures that strong, fast ciphers are chosen first.
and he follows up with: [QUOTE]It does seem pretty easy to do... e.g., in Apache's httpd, the attached cookbook (which is quite good) suggests the following (p. 30): SSLHonorCipherOrder On SSLCipherSuite "kEECDH+ECDSA kEECDH kEDH HIGH +SHA +RC4 RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA" which ensures that strong, fast ciphers are chosen first.
-
Hello :) I just wanted to note that it's possible to modify the default entry for "SSL Cipher Suite" via: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" This thread may also be of interest: cPanel and OpenSSL 1.0.1c (or higher) Thank you. 0
Please sign in to leave a comment.
Comments
1 comment