SSL Cipher Suite

dah5meuk

• August 20, 2014 18:02

Hello I have installed a valid SSL certificate on my server and it works fine. One thing that puzzles me is, I have tweaked the SSL Cipher Suite under cPanel Web Services Configuration to allow 256-bit encryption and Google Chrome confirms this was successful. However, when I use the same cipher suite in Apache Configuration > Global Configuration > SSL Cipher Suite, the websites show as 128-bit encryption. Why is cPanel allowing a 256-bit encryption level for the software itself but not for the websites hosted by it? The cipher I'm using is... EECDH+AES:EDH+AES:-SHA1:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5 cPanel/WHM Version: 11.44.1 (build 17) Any ideas on how I can fix this? Kind Regards David

• 

  cPanelMichael

  • August 21, 2014 14:23

  Hello :) Could you open a support ticket using the link in my signature so we can take a closer look? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  dah5meuk

  • August 21, 2014 16:32

  Support Ticket has been raised and the ticket number is 5367565!

  0
• 

  cPanelMichael

  • August 22, 2014 19:43

  To update, the user was advised to add the following entry in the /usr/local/apache/conf/includes/pre_virtualhost_2.conf file before restarting Apache: SSLProtocol all -SSLv2 -SSLv3 SSLHonorCipherOrder on
  Thank you.

  0
• 

  Kurieuo

  • September 15, 2014 05:31

  Just wondering. Is there a reason that cPanel doesn't include a cypher that can be selected to support the full 256-bit encryption in many SSL certificates? Why is the default at 128-bit? Thanks David for supplying your string. I've stolen it and tried it out, and all certificates are now running at 256-bit strength. ;) But, what am I missing? Why isn't support for higher encryption more common amongst web hosts? Are there any consequences for upgrading the cyphers to be 256-bit compatible? Is it more of a speed issue? Perhaps device incompatibilities or something? Many thanks! Kuri

  0
• 

  cPanelMichael

  • September 15, 2014 17:33

  [quote="Kurieuo, post: 1729702">But, what am I missing? Why isn't support for higher encryption more common amongst web hosts? Are there any consequences for upgrading the cyphers to be 256-bit compatible? Is it more of a speed issue? Perhaps device incompatibilities or something
  This type of discussion is better suited towards our feature request system. Feel free to submit a feature request for native support or the default enabling of this option: Submit A Feature Request Thank you.

  0
• 

  Kurieuo

  • September 15, 2014 23:04

  [quote="cPanelMichael, post: 1730202">This type of discussion is better suited towards our feature request system. Feel free to submit a feature request for native support or the default enabling of this option: Submit A Feature Request Thank you.
  For anyone who wants to vote it in: - Removed -

  0
• 

  Infopro

  • September 16, 2014 09:28

  There are several existing Feature Requests here you might like to sign onto: Strengthen Apache SSL cipher for PCI compliance - cPanel Feature Requests Perfect Forward Secrecy (ECDHE_RSA) in WHM Cpanel login - cPanel Feature Requests

  0
• 

  Kurieuo

  • September 16, 2014 12:49

  Your ticket doesn't add in support 256-bit encryption though?

  0
• 

  Kurieuo

  • September 16, 2014 14:43

  [quote="Kurieuo, post: 1730541">Your ticket doesn't add in support 256-bit encryption though?
  Nevermind, I now realise that cipher availability depends upon OS and OpenSSL versions. My CloudLinux 5.1 with v0.9.8 just doesn't seem to pick up 256-bit encryption with the default cipher suite string. Sadly my versions also mean no TLS 1.1/1.2.

  0
• 

  qdixon

  • June 25, 2015 17:32

  This is the cipher I am using as of June 25th 2015 and it gives me A+: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!DH:!MD5:!PSK:!RC4
  

  0
• 

  vlee

  • June 28, 2015 17:25

  Information for everyone. Be careful on using custom ciphers for SSL's especially when using DNS Only Servers. Because some cipher lists can cause more problems than it is worth. For Web Servers and DNS Only Servers you need make you have reverse trust relationship between them. Some cipher cipher list will cause you more problems than it is worth, which I found about 3 days ago when I noticed that my DNS Only Servers could not connect to the Web Servers because I had the cipher below on my web servers. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  With the great work from Tristan and the rest of the cPanel support that worked on the issue was able to find out what was cause of the issue the cipher list above does not work when using DNS Only Servers. So I made a new cipher list based it off of the default cipher in cPanel and Tristan from cPanel tested it to make sure it worked for Web Servers and DNS Only Servers and it work fine with no issues. So feel free to use this cipher list below. ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  

  0
• 

  Arcfives

  • January 18, 2016 03:16

  Information for everyone. Be careful on using custom ciphers for SSL's especially when using DNS Only Servers. Because some cipher lists can cause more problems than it is worth. For Web Servers and DNS Only Servers you need make you have reverse trust relationship between them. Some cipher cipher list will cause you more problems than it is worth, which I found about 3 days ago when I noticed that my DNS Only Servers could not connect to the Web Servers because I had the cipher below on my web servers. ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  With the great work from Tristan and the rest of the cPanel support that worked on the issue was able to find out what was cause of the issue the cipher list above does not work when using DNS Only Servers. So I made a new cipher list based it off of the default cipher in cPanel and Tristan from cPanel tested it to make sure it worked for Web Servers and DNS Only Servers and it work fine with no issues. So feel free to use this cipher list below. ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  

  
  I've tried to use your list and its comes back as invalid.

  0
• 

  cPanelMichael

  • January 18, 2016 17:06

  I've tried to use your list and its comes back as invalid.

  
  Could you provide more details about the specific error message you receive, and the method you used to update it? Thank you.

  0
• 

  JBF

  • February 04, 2016 09:22

  Information for everyone. With the great work from Tristan and the rest of the cPanel support that worked on the issue was able to find out what was cause of the issue the cipher list above does not work when using DNS Only Servers. So I made a new cipher list based it off of the default cipher in cPanel and Tristan from cPanel tested it to make sure it worked for Web Servers and DNS Only Servers and it work fine with no issues. So feel free to use this cipher list below. ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  

  
  How did you change this on the DNS only server? I see no apache options in the GUI and the correct apache config file is difficult to locate as they are scattered all over the OS.

  0
• 

  vlee

  • February 05, 2016 19:07

  Everything is handle on the Web Servers. The problem was when Web Servers and DNS Only was communicating with each other there was trust issues due cipher list on the Web Servers. I hope this helps.

  0

Please sign in to leave a comment.