How to disable anonymous (insecure) suites ? Ref: SSLLABS
I have Installed a SSL Certificate for Cpanel/WHM it's installed correctly when checking at ssllabs.com/ssltest I get the following error :
This server supports anonymous (insecure) suites (see below for details). Grade set to F.
Kindly help me how to resolve this. Thank you in advance.
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016) INSECURE 128
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017) INSECURE 112
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018) INSECURE 128
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019) INSECURE 256
Kindly help me how to resolve this. Thank you in advance.
-
Hello :) You can browse to the following option in Web Host Manager: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
Thank you.0 -
There is a feature request for this at: [url=http://features.cpanel.net/responses/perfect-forward-secrecy-ecdhe-rsa-in-whm-cpanel-login]Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login | cPanel Feature Requests However, in the meantime, some users report success using a custom workaround at the following third-party URL: [url=http://cpanelservermanagement.com/2014/06/12/perfect-forward-secrecy-with-apache-2-2-on-a-cpanel-server/]Perfect Forward Secrecy with Apache 2.2 on a cPanel Server | cPanel Server Management Thank you. 0 -
Thank you very much for the information Sir. 0 -
[quote="cPanelMichael, post: 1710821">Hello :) You can browse to the following option in Web Host Manager: "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
Thank you.
Michael, when I change the ciphersuite to this (copied exactly as above) I get the following error:The following settings are invalid and were rejected: * sslciphersuite: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
Has something changed in the last couple of months? cPanel v 11.44.1.18.0 -
I have not been able to reproduce that error message. Do you have any other customizations to Apache? Thank you. 0 -
It's a pretty standard, vanilla hosting install. 0 -
Feel free to open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
[quote="cPanelMichael, post: 1710821"> "WHM Home " Service Configuration " Apache Configuration " Global Configuration" Use the following cipher under "SSL Cipher Suite" to disable anonymous ciphers: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL
Can this be replicated for other services such as cpsrvd, cpdavd and dovecot?0 -
Please see the following document on how to update cipher protocols on other services: How to Adjust Cipher Protocols Additional discussions about this are found on the following thread: Adjusting Cipher Protocols Thank you. 0 -
After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
All welcome to use this.0 -
[quote="vlee, post: 1764461">After I searched google for about about hour or so I found this below for a SSL Cipher Suite and works very good and I get a A+ on SSL LABS ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
All welcome to use this.
Thank you for sharing! Now I have A- rating and only thing missed is Forward Security: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A- How was you able to get A+ on cPanel server? Thank you once more!0 -
[quote="ispro, post: 1780211">Thank you for sharing! Now I have A- rating and only thing missed is Forward Security: The server does not support Forward Secrecy with the reference browsers. Grade reduced to A- How was you able to get A+ on cPanel server? Thank you once more!
Go to in WHM Home "Service Configuration "Apache Configuration "Include Editor Then in I wish to edit the Pre Main configuration include file for: Select All Versions Put this below in itHeader add Strict-Transport-Security "max-age=31536000? SSLHonorCipherOrder On SSLCompression off
Then click on Update button That is it and should be able to get A+ now0 -
Yes, it works. Thank you for a help! 0 -
[quote="vlee, post: 1780332">Go to in WHM Home "Service Configuration "Apache Configuration "Include Editor Then in I wish to edit the Pre Main configuration include file for: Select All Versions Put this below in it Header add Strict-Transport-Security "max-age=31536000? SSLHonorCipherOrder On SSLCompression off
Then click on Update button That is it and should be able to get A+ now
Thank you. Now I got A+ rating.0 -
A+ for the first time! Awesome. Thank you vlee! 0 -
I followed the instructions here after updating my cPanel install and removed SSLHonorCipherOrder On SSLProtocol +All -SSLv2 -SSLv3 from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE. Thoughts? 0 -
from my Apache Pre Main include; however, SSL Labs is still reporting the server is vulnerable to POODLE.
I've moved your post to this thread, so you can try some of the solutions here. Let us know if it does not help. Thank you.0 -
Hello, i have WHM 11.50 In Apache configuration i have SSL cipher: ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH (PCI recommended) SSL/TLS Protocols: All -SSLv2 -SSLv3 default but when i check my site on it says: Protocols enabled: TLS1.2 TLS1.1 TLS1.0 Protocols not enabled: SSLv3 SSLv2 this topic was helpfull, i used cipher suite and apache rules adviced by member vlee. But still im getting these notices: Protocols not enabled: SSLv3 SSLv2 0
Please sign in to leave a comment.
Comments
19 comments