Now that everyone’s hopping on the SSL bandwagon with Lets Encrypt and registries dropping prices, let’s raise cPanel’s default SSL security settings to include forward secrecy as well as favoring strongest ciphers first, getting us an A+ with two modifications.
This might break older browsers such as Windows XP, et. al so please make sure to test your website before going live with these production changes, although I’ve had no issues on a number of my servers in 3+ months, and still getting an A+ at SSL Labs.
For a quick down and dirty way to get a certificate for this test from Let’s Encrypt without anything server side but a few scripts I’ve run and saved, I’ve used the open-source (and locally editable and savable) : Get HTTPS for Free
This site is literally fool proof. It does not mess with your web-server configuration. It does not need your private key like some other nefarious generators, and it’s damn easy. You copy and paste in an CSR, run a few challenges against your public-signing key, and get an SSL certificate.
Now to raise cPanel’s grade to an A+ for all domains.
First, edit the Apache Global Configuration ciphers from WHM using the path :
Home -> Service Configuration -> Apache Configuration -> Global Configuration
Change the default cipher suite to the following by selecting the custom entry for cipher suits:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
SSL/TLS protocols are OK to keep set as default. While unrelated to SSL, while we’re here, make sure Server Tokens are also set to “Product Only” to avoid leaking information about your OS. Turn Trace Enable off per PCI recommendations and standards. Same with File ETag, example below:
Click Save. You’re done with part one, Apache will now favor stronger protocols before others. Now time to set forward secrecy with a long date in advance.
Part two, editing the Global (all domain) Apache pre-includes file:
Select: Service Configuration -> Apache Configuration -> Include Editor -> “I wish to edit the Pre Main configuration includes…” and select the ‘All Versions’ from the drop down.
Next, paste the following into the “Global” area:
Header add Strict-Transport-Security "max-age=31536000" SSLProtocol all -SSLv3 -SSLv2 SSLHonorCipherOrder On SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4
Click ‘Update’ and Apache will be restarted.
Alternatively, to achieve such from shell you may open this file in your favorite text editor: /usr/local/apache/conf/includes/pre_main_global.conf
Paste the above contents in from above, click save, and run :
/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd
This will rebuild the Apache configuration as would be done from WHM and restart Apache as well.
Now test your website at Qualys SSL Labs to see the score you get, if you’ve followed instructions properly, you should have an A+
Done! Now you have A+ SSL settings on all domains on your cPanel server that have certificates installed. By using the global pre-main includes and modifying the server wide ciphers for Apache, every domain using SSL will enjoy the same security.