Transport Layer Security (TLS), and it’s older brother Secure Socket Layer (SSL) are cryptographic protocols that clients and servers use for secure communication over the Internet. Today’s industry standards, and really just common sense, strongly encourage the use of cryptography. This is especially important if you’re running a webshop or any kind of site that accepts credit card payments, as your site and server will have to be PCI compliant. In this article, we’ll see how to set up TLS protocols and ciphers for various services.

A FOREWORD

Luckily, cPanel is keeping up with industry standards. In version 72, they removed support for SSLv2, SSLv3 and TLSv1.0, with only TLSv1.2 being enabled by default. If you keep you system up to date, chances are high you won’t need to manually configure anything, except in the case you need backwards compatibility for older versions of web browsers and mail clients.

The services we’ll set up here use OpenSSL to provide both the protocols and ciphers that will be in use. Hence, if you’re configuring TLS manually, you’ll probably have to configure both.

APACHE (HTTPD SERVICE)

To configure TLS for Apache, i.e. your web server, go to WHM > Home > Service Configuration > Apache Configuration > Global Configuration. The protocol and cipher settings will be the first two in that interface:

This interface accepts a protocol string such as All -SSLv2 -SSLv3 . If you need to enable TLSv1.1, add either:

or

Setting up the cipher suite is where it gets tricky. On versions 68 and above, cPanel uses the following cipher suite for it’s default:

This should work fine for TLS 1.1 and 1.2, and is designed for more compatibility than security, but if you need to edit this, here are some general rules:

Usually, the client’s preference will be used when choosing the protocol and cipher that will be used when establishing a secure connection. If you want to use the server’s preference, add the following lines in /usr/local/apache/conf/includes/pre_virtualhost_global.conf  via CLI, or in Home > Service Configuration > Apache Configuration > Include Editor > Pre VirtualHost Include:

If you edited this file via CLI, you’ll have to rebuild httpd.conf with /scripts/rebuildhttpdconf  and restart Apache with service httpd restart  for these changes to take effect.

Each cipher can have one of the following prefixes:

• none: add cipher to list
• +: move matching ciphers to the current location in list
• -: remove cipher from list (can be added later again)
• !: kill cipher from list completely (can not be added later again)

Be wary of using the ! Prefix, as you won’t be able to add that cipher at a later time. By using these prefixes you can get really granular in setting up the cipher suite, and combined with the SSLHonorCipherOrder you can ensure the server will always use the strongest available cipher.

The following ciphjer suite list might be more secure than the default one:

but it’s possible you’ll have to play around with this to get the optimal amount of security vs backwards compatibility, that A score on Qualys, or to pass your PCI compliance scans.

EXIM (THE MAIL TRANSFER AGENT)

If you’re running a mail server, you’ll probably want all the mail clients to connect to it securely. The first thing you need to do is go to Home > Service Configuration > Exim Configuration Manager > Security tab, and turn on the option called Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server . This option will prevent non-secure connections.

As for the protocol setup, on versions 68 and above, the default setting is +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 so feel free to leave it at that. If you do need TLS 1.1 enabled, change the setting to