Page tree
Skip to end of metadata
Go to start of metadata


Overview

Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server.

About OpenSSL

Note:

cPanel & WHM does not provide OpenSSL. cPanel & WHM uses the version of OpenSSL that the base operating system provides.

OpenSSL defaults to settings that maximize compatibility at the expense of security. OpenSSL allows two primary settings: ciphers and protocols.

  • A cipher refers to a specific encryption algorithm. This setting allows the user to enable or disable ciphers individually or by category.
  • A protocol refers to the way in which the system uses ciphers. This setting allows the user to enable or disable individual protocols or categories of protocols.

Most attacks against SSL modify data as it travels between the client and the server, in order to target weaknesses in specific ciphers. For example, the POODLE attack (CVE-2014-3566) targets weaknesses in the SSLv3 protocol.

cPanel & WHM cipher settings

By default, cPanel & WHM uses the following cipher list for web services:

 Click to view...
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

Note:

If you wish to allow mail users to connect to your server with Microsoft Outlook® 2007 on Windows XP®, the following cipher will allow them to connect:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Important:

Microsoft no longer supports Windows XP or provides security updates for that operating system. We strongly recommend that your customers upgrade their operating systems to a supported and secure version as soon as possible.

By default, cPanel & WHM uses the following cipher list for web services:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

By default,  cPanel & WHM uses the following cipher list for web services:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19, 11.46.0.9, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current default protocol string is equivalent to the following example:

All -SSLv2 -SSLv3 

If your configuration cannot use the default settings for the SSL protocol and cipher lists, you can override them on a service-by-service basis.

Important:

  • We strongly recommend that you enable Transport Layer Security (TLS) protocol version 1.2 on your server. TLSv1.0 is enabled on many servers, which causes the servers to fail PCI Compliance scans.
    • The TLSv1.1 and TLSv1.2 protocols function correctly in modern web browsers, such as the latest versions of Mozilla Firefox, but do not function correctly in older web browsers.
  • We also strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot services if you use Windows® 7 or MacOS® version 10.8 and earlier. Servers on these operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following email clients:
    • Outlook® 2007
    • Outlook 2010
    • MacMail®

Note:

Some services use the string SSLv23 to represent what other services call ALL for the protocol list. The example settings below demonstrate this difference on a service-by-service basis.

ServiceCipherProtocol

cPanel & WHM

(cpsrvd)

Adjust the cipher string for the cPanel, WHM, and Webmail interfaces in WHM's cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration).
  • Adjust the protocol string for the cPanel, WHM, and Webmail interfaces in WHM's cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration).
  • This interface uses the SSLv23:!SSLv2:!SSLv3 style protocol syntax.

    Note:

    To enable the TLSv1.1 and TLSv1.2 protocols for cPanel & WHM on your server, add the :!TLSv1 string to the end of the protocol string.

Web Disk

(cpdavd)

Adjust the cipher string for the Web Disk feature in WHM's cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration).
  • Adjust the protocol string for the Web Disk feature in WHM's cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration ).
  • This interface uses the SSLv23:!SSLv2:!SSLv3 style protocol syntax.

    Note:

    To enable the TLSv1.1 and TLSv1.2 protocols for Web Disk on your server, add the :!TLSv1 string to the end of the protocol string.

Courier

Adjust the cipher string for Courier mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >>Mailserver Configuration).

Note:

This interface provides separate settings for IMAP and POP3.

Unable to render {include} The included page could not be found.

  • Adjust the protocol string for Courier mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >>Mailserver Configuration ).
  • Due to limitations in Courier, this interface only allows you to toggle between all protocols or a single protocol.

 

Note:

This interface provides separate settings for IMAP and POP3.

Dovecot
Adjust the cipher string for Dovecot mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >>Mailserver Configuration ).
  • Adjust the protocol string for Dovecot mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >>Mailserver Configuration ).
  • This interface accepts a string that implies ALL by default (for example, !SSLv2 !SSLv3.)
ApacheAdjust Apache's cipher string in WHM's Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).
  • Adjust Apache's protocol string in the Global Configuration section of WHM's Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).

  • This interface accepts a protocol string such as All -SSLv2 -SSLv3.

    Note:

    To enable the TLSv1.1 and TLSv1.2 protocols for Apache on your server, add the -TLSv1  string to the end of the protocol string.

Exim
  • Basic control over Exim's cipher list is available as a toggle in the Basic Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
  • For complete control over Exim's cipher list, use the Advanced Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
  • Set this cipher to the following setting:

    tls_require_ciphers.
  • Adjust Exim's protocol string in the Advanced Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager ) .  
  • The protocol setting is openssl_options. It accepts Exim-specific settings (for example, +no_sslv2 +no_sslv3).

    Note:

    To enable the TLSv1.1 and TLSv1.2 protocols for Exim on your server, add the +no_tlsv1 string to the end of the protocol string.


Additional documentation