Getting an A+ on SSL Labs test in on all cPanel domains in 5 minutes

Getting A+ Security with SSL Labs on cPanel TutorialNow that everyone’s hopping on the SSL bandwagon with Lets Encrypt and registries dropping prices, let’s raise cPanel’s default SSL security settings to include forward secrecy as well as favoring strongest ciphers first, getting us an A+ with two modifications.

This might break older browsers such as Windows XP, et. al so please make sure to test your website before going live with these production changes, although I’ve had no issues on a number of my servers in 3+ months, and still getting an A+ at SSL Labs.

For a quick down and dirty way to get a certificate for this test from Let’s Encrypt without anything server side but a few scripts I’ve run and saved, I’ve used the open-source (and locally editable and savable) : Get HTTPS for Free

This site is literally fool proof. It does not mess with your web-server configuration. It does not need your private key like some other nefarious generators, and it’s damn easy. You copy and paste in an CSR, run a few challenges against your public-signing key, and get an SSL certificate.

Now to raise cPanel’s grade to an A+ for all domains. 

First, edit the Apache Global Configuration ciphers from WHM using the path :

Home -> Service Configuration -> Apache Configuration -> Global Configuration

Change the default cipher suite to the following by selecting the custom entry for cipher suits:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

SSL/TLS protocols are OK to keep set as default. While unrelated to SSL, while we’re here, make sure Server Tokens are also set to “Product Only” to avoid leaking information about your OS. Turn Trace Enable off per PCI recommendations and standards. Same with File ETag, example below:

File ETag Off, Server Tokens to Product Only, Turn off Trace Enable for best security practices on Apache in cPanel.

Click Save. You’re done with part one, Apache will now favor stronger protocols before others. Now time to set forward secrecy with a long date in advance.

Part two, editing the Global (all domain) Apache pre-includes file: 

Select: Service Configuration -> Apache Configuration -> Include Editor -> “I wish to edit the Pre Main configuration includes…” and select the ‘All Versions’ from the drop down.

Getting an A+ for SSL in cPanel : Edit the Pre-Main Configuration Include File for : All Versions

 

Next, paste the following into the “Global” area:

Header add Strict-Transport-Security "max-age=31536000"
SSLProtocol all -SSLv3 -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

 

Click ‘Update’ and Apache will be restarted.

Alternatively, to achieve such from shell you may open this file in your favorite text editor: /usr/local/apache/conf/includes/pre_main_global.conf

Paste the above contents in from above, click save, and run :

/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd

This will rebuild the Apache configuration as would be done from WHM and restart Apache as well.

Now test your website at Qualys SSL Labs to see the score you get, if you’ve followed instructions properly, you should have an A+

SSL Labs A+ Test on cPanel by Default on all domains - Tutorial / FAQ

Done! Now you have A+ SSL settings on all domains on your cPanel server that have certificates installed. By using the global pre-main includes and modifying the server wide ciphers for Apache, every domain using SSL will enjoy the same security.

Posted in SSL