Skip to main content

How to disable anonymous (insecure) suites ? Ref: SSLLABS

Comments

19 comments

  • cPanelMichael
    Hello :) You can browse to the following option in Web Host Manager: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    Thank you.
    0
  • chuman
    Sir, Thank you very very much for your kind support. Now it's a A-, I can still acheive A+ but by enabling forward secrecy. The server does not support Forward Secrecy with the reference browsers. Grade reduced to A- I found this topic
    0
  • cPanelMichael
    There is a feature request for this at: [url=http://features.cpanel.net/responses/perfect-forward-secrecy-ecdhe-rsa-in-whm-cpanel-login]Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login | cPanel Feature Requests However, in the meantime, some users report success using a custom workaround at the following third-party URL: [url=http://cpanelservermanagement.com/2014/06/12/perfect-forward-secrecy-with-apache-2-2-on-a-cpanel-server/]Perfect Forward Secrecy with Apache 2.2 on a cPanel Server | cPanel Server Management Thank you.
    0
  • chuman
    Thank you very much for the information Sir.
    0
  • MaraBlue
    [quote="cPanelMichael, post: 1710821">Hello :) You can browse to the following option in Web Host Manager: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    Thank you.
    Michael, when I change the ciphersuite to this (copied exactly as above) I get the following error: The following settings are invalid and were rejected: * sslciphersuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
    Has something changed in the last couple of months? cPanel v 11.44.1.18.
    0
  • cPanelMichael
    I have not been able to reproduce that error message. Do you have any other customizations to Apache? Thank you.
    0
  • MaraBlue
    It's a pretty standard, vanilla hosting install.
    0
  • cPanelMichael
    Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
    0
  • goodmove
    [quote="cPanelMichael, post: 1710821"> "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

    Can this be replicated for other services such as cpsrvd, cpdavd and dovecot?
    0
  • cPanelMichael
    Please see the following document on how to update cipher protocols on other services: How to Adjust Cipher Protocols Additional discussions about this are found on the following thread: Adjusting Cipher Protocols Thank you.
    0
  • vlee
    After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    All welcome to use this.
    0
  • ispro
    [quote="vlee, post: 1764461">After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
    All welcome to use this.
    Thank you for sharing! Now I have A- rating and only thing missed is Forward Security: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A- How was you able to get A+ on cPanel server? Thank you once more!
    0
  • vlee
    [quote="ispro, post: 1780211">Thank you for sharing! Now I have A- rating and only thing missed is Forward Security: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A- How was you able to get A+ on cPanel server? Thank you once more!
    Go to in WHM Home "Service Configuration "Apache Configuration "Include Editor Then in I wish to edit the Pre Main configuration include file for: Select All Versions Put this below in it Header add Strict-Transport-Security "max-age=31536000? SSLHonorCipherOrder On SSLCompression off
    Then click on Update button That is it and should be able to get A+ now
    0
  • ispro
    Yes, it works. Thank you for a help!
    0
  • garconcn
    [quote="vlee, post: 1780332">Go to in WHM Home "Service Configuration "Apache Configuration "Include Editor Then in I wish to edit the Pre Main configuration include file for: Select All Versions Put this below in it Header add Strict-Transport-Security "max-age=31536000? SSLHonorCipherOrder On SSLCompression off
    Then click on Update button That is it and should be able to get A+ now
    Thank you. Now I got A+ rating.
    0
  • Greyscout
    A+ for the first time! Awesome. Thank you vlee!
    0
  • autumnwalker123
    I followed the instructions here after updating my cPanel install and removed SSLHonorCipherOrder On SSLProtocol +All -SSLv2 -SSLv3 from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE. Thoughts?
    0
  • cPanelMichael
    from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE.

    I've moved your post to this thread, so you can try some of the solutions here. Let us know if it does not help. Thank you.
    0
  • postcd
    Hello, i have WHM 11.50 In Apache configuration i have SSL cipher: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH (PCI recommended) SSL/TLS Protocols: All -SSLv2 -SSLv3 default but when i check my site on it says: Protocols enabled: TLS1.2 TLS1.1 TLS1.0 Protocols not enabled: SSLv3 SSLv2 this topic was helpfull, i used cipher suite and apache rules adviced by member vlee. But still im getting these notices: Protocols not enabled: SSLv3 SSLv2
    0

Please sign in to leave a comment.