How to Update Ciphers and TLS Protocols
Last modified: December 17, 2020
Overview
Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL’s protocols and cipher stacks for those services.
About OpenSSL
OpenSSL defaults to settings that maximize compatibility at the expense of security. OpenSSL allows two primary settings: ciphers and protocols.
A cipher refers to a specific encryption algorithm. This setting allows the user to enable or disable ciphers individually or by category.
A protocol refers to the way in which the system uses ciphers. This setting allows the user to enable or disable individual protocols or categories of protocols.
Most attacks against SSL modify data as it travels between the client and the server in order to target weaknesses in specific ciphers. For example, the POODLE attack (CVE-2014-3566) targets weaknesses in the SSLv3 protocol.
cPanel & WHM cipher settings
cPanel & WHM version 68 and newer
By default, cPanel & WHM uses the following cipher list for web services:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
If your configuration cannot use the default settings for the SSL protocol and cipher lists, you can override them on a service-by-service basis.
cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:
- Beginning in cPanel and WHM version 86, cPanel & WHM only supports TLSv1.2 or newer. The system also enables TLSv1.2 by default.
- In cPanel and WHM version 84 or earlier, cPanel & WHM strongly recommends that you enable TLSv1.2 on your server.
- Not all internet browsers or clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
We strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot services if you use Windows® 7 or MacOS® version 10.8 and earlier. Servers on these operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following email clients:
- Outlook® 2007
- Outlook 2010
- MacMail®
cPanel & WHM version 66
By default, cPanel & WHM uses the following cipher list for web services:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19
, 11.46.0.9
, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current default protocol string will resemble the following example:
All -SSLv2 -SSLv3
cPanel & WHM version 64 and earlier
By default, cPanel & WHM uses the following cipher list for web services:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19
, 11.46.0.9
, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current default protocol string will resemble the following example:
All -SSLv2 -SSLv3
Interfaces
SSLv23
to represent what other services call ALL
for the protocol list. The example settings below demonstrate this difference on a service-by-service basis.
The following section lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL:
cPanel & WHM (cpsrvd)
Cipher
Adjust the cipher string for the cPanel, WHM, and Webmail interfaces in WHM’s cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration).
Protocol
Adjust the protocol string for the cPanel, WHM, and Webmail interfaces in WHM’s cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration).
This interface uses the
SSLv23:!SSLv2:!SSLv3
style protocol syntax.
Web Disk (cpdavd)
Cipher
- Adjust the cipher string for the Web Disk feature in WHM’s cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration).
Protocol
Adjust the protocol string for the Web Disk feature in WHM’s cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration).
This interface uses the
SSLv23:!SSLv2:!SSLv3
style protocol syntax.
Courier
Cipher
Adjust the cipher string for Courier mail services (IMAP or POP3) in WHM’s Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration).
Protocol
Adjust the protocol string for Courier mail services (IMAP or POP3) in WHM’s Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration).
Due to limitations in Courier, this interface only allows you to toggle between all protocols or a single protocol.
Dovecot
Cipher
- Adjust the cipher string for Dovecot mail services (IMAP or POP3) in WHM’s Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration).
Protocol
Adjust the protocol string for Dovecot mail services (IMAP or POP3) in WHM’s Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration).
This interface accepts a string that implies
ALL
by default, such as!SSLv2 !SSLv3
.
Apache
Cipher
- Adjust Apache’s cipher string in WHM’s Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration).
Note:
If your chosen SSL protocol or the version of OpenSSL that EasyApache 4 uses does not support a cipher, the system will display an error message.
Protocol
Adjust Apache’s protocol string in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration).
This interface accepts a protocol string that resembles
All -SSLv2 -SSLv3
.
Exim
Cipher
In cPanel & WHM version 66 and earlier, you can toggle simple changes in the cipher list in the Security tab of the Basic Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager). You can fully configure Exim’s cipher list with the tls_require_ciphers setting in the Global Configuration section of WHM’s Apache Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration).
In cPanel & WHM version 68 and later, you can adjust the cipher string in the SSL/TLS Cipher Suite List text box in the Basic Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
Protocol
In cPanel & WHM version 66 and earlier, you can configure the protocol list with the
openssl_options
setting in the Advanced Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).In cPanel & WHM version 68 and later, you can adjust the protocol list in the Options for OpenSSL text box in the Basic Editor section of the Exim Configuration Manager interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager).
The protocol list accepts Exim-specific settings. For example,
+no_sslv2 +no_sslv3
.