How to Update Ciphers and TLS Protocols

Valid for versions 82 through the latest version

Version:

82


Last modified: June 30, 2021

Overview

Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL’s protocols and cipher stacks for those services.

About OpenSSL

Note:

cPanel & WHM uses the base operating system-provided version of OpenSSL.

OpenSSL defaults to settings that maximize compatibility at the expense of security. OpenSSL allows two primary settings: ciphers and protocols.

  • A cipher refers to a specific encryption algorithm. This setting allows the user to enable or disable ciphers individually or by category.
  • A protocol refers to the way in which the system uses ciphers. This setting allows the user to enable or disable individual protocols or categories of protocols.

Most attacks against SSL modify data as it travels between the client and the server in order to target weaknesses in specific ciphers. For example, the POODLE attack (CVE-2014-3566) targets weaknesses in the SSLv3 protocol.

Cipher settings

Important:
  • cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:

    • Beginning in cPanel and WHM version 86, cPanel & WHM only supports TLSv1.2 or newer. The system also enables TLSv1.2 by default.
    • Not all internet browsers or clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
  • We strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot services if you use Windows® 7 or MacOS® version 10.8 and earlier. Servers on these operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following mail clients:

    • Outlook® 2007
    • Outlook 2010
    • MacMail®

You can find cPanel & WHM’s default cipher settings and SSL protocols in WHM’s cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration). If your configuration cannot use the default settings for the SSL protocol and cipher lists, you can override them on a service-by-service basis.

Configure service ciphers and protocols

The following section lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL. For information about a specific service, read our Service Manager documentation.

Note:

Some services use the string SSLv23 to represent what other services call ALL for the protocol list. The example settings below demonstrate this difference on a service-by-service basis.

cPanel, WHM, and Webmail

You can configure the cPanel, WHM, and Webmail interfaces’ (cpsrvd) service cipher and protocols lists with WHM’s cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration).

This interface uses the SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1 style protocol syntax.

Web Disk

You can configure the Web Disk service (cpdavd) cipher and protocol lists with WHM’s cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration).

This interface uses the SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1 style protocol syntax.

Dovecot

You can configure the Dovecot mail service (imap and pop3) cipher and protocol lists with WHM’s Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration).

For protocols, this interface accepts a string that implies ALL by default. For example, the !SSLv2 !SSLv3 string.

Apache

You can configure the Apache® web service (httpd) cipher and protocol WHM’s Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).

This interface accepts a protocol that resembles the All -SSLv2 -SSLv3 string.

Note:

If the selected SSL protocol or the version of OpenSSL that EasyApache 4 uses does not support a cipher, the system will display an error message.

Exim

You can configure the Exim service (exim) cipher and protocol lists with the Basic Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).

  • For ciphers, use the SSL/TLS Cipher Suite List text box.
  • For protocols, use the Options for OpenSSL text box. The protocol list accepts Exim-specific settings. For example, +no_sslv2 +no_sslv3.

Additional Documentation