Improving HTTPS / SSL Strength for Domains

Issue: cPanel (version 78.0.21) powered server where a domain (Apache is in use) is showing a poor score on the Qualys SSL Labs report. In particular there are several weak cipher suites in use. Also weak protocols are in use. Also HTTP Strict Transport Security (HSTS), and DNS Certification Authority Authorization (CAA) are not in use. Both Comodo and Let’s Encrypt should be available.

Solution: Configure Apache to remove weaker ciphers and protocols. Note: Some weaker ciphers are required to enable older clients the ability to connect. Edit .htaccess file on the domain to force SSL and provide appropriate HSTS header for the domain. Configure CAA records in the DNS zone file for the domain. Let’s use an example domain name as the “example.com”

Step 1

In WHM navigate to: Home >> Service Configuration >> Apache Configuration >> Global Configuration
Do not use the default, instead enter the following within the “SSL Cipher Suite” option:

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4

Within “SSL/TLS Protocols” do not use the default, instead enter:

All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Within “LogLevel”, enter:

warn

Within “Trace Enable”, enter:

Off

Within “Server Signature”, enter:

Off

Within “Server Tokens”, enter: Product

Only

Click “Save”, then click “Rebuild Configuration and Restart Apache”

Step 2

In WHM navigate to: Home >> Service Configuration >> Apache Configuration >> Include Editor

Within “Pre Main Include” the Apache version to select is: “All Versions”, then enter the following in the Global field:

Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
SSLHonorCipherOrder on

Click update, then click “Retsart Apache”

Step 3

For the specific domain, establish an SSH connection and navigate the the public_html directory. Edit the .htaccess file to enable the following:

Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#HSTS
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPS

Step 4

Edit the DNS zone record for the domain and add the following:

example.com. 1800 IN CAA 0 issuewild "comodoca.com"
example.com. 1800 IN CAA 0 issuewild "letsencrypt.org"
example.com. 1800 IN CAA 0 issue "comodoca.com"
example.com. 1800 IN CAA 0 issue "letsencrypt.org"
example.com. 1800 IN CAA 0 iodef "mailto:[email protected]

Test the domain using the tool at: https://www.ssllabs.com/ssltest/

Note: You most probably use Apache with OpenSSL library. OpenSSL uses its own ciphers names, but SSL Labs test displays official standard TLS names. When you observer an SSL Labs cipher name (you would like to disable) such as: TLS_RSA_WITH_3DES_EDE_CBC_SHA, please look for theOpenSSL name here: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and you see it “translates” to the name DES-CBC3-SHA. To disable a cipher, add an exclaimation mark in fron of it like this example: !DES-CBC3-SHA

At this stage you may be able to have your domain (website) listed in the HTTP Strict Transport Security (HSTS) preload list. Several web browsers use this, including Firefox: https://hstspreload.org/

2 thoughts on “Improving HTTPS / SSL Strength for Domains”

  1. As of May 02, 2019:

    CIPHER SUITE NAMES

    The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
    SSL v3.0 cipher suites.

    SSL_RSA_WITH_NULL_MD5 = NULL-MD5
    SSL_RSA_WITH_NULL_SHA = NULL-SHA
    SSL_RSA_EXPORT_WITH_RC4_40_MD5 = EXP-RC4-MD5
    SSL_RSA_WITH_RC4_128_MD5 = RC4-MD5
    SSL_RSA_WITH_RC4_128_SHA = RC4-SHA
    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = EXP-RC2-CBC-MD5
    SSL_RSA_WITH_IDEA_CBC_SHA = IDEA-CBC-SHA
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-DES-CBC-SHA
    SSL_RSA_WITH_DES_CBC_SHA = DES-CBC-SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA = DES-CBC3-SHA

    SSL_DH_DSS_WITH_DES_CBC_SHA = DH-DSS-DES-CBC-SHA
    SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = DH-DSS-DES-CBC3-SHA
    SSL_DH_RSA_WITH_DES_CBC_SHA = DH-RSA-DES-CBC-SHA
    SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = DH-RSA-DES-CBC3-SHA
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-DSS-DES-CBC-SHA
    SSL_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-CBC-SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = EDH-DSS-DES-CBC3-SHA
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-RSA-DES-CBC-SHA
    SSL_DHE_RSA_WITH_DES_CBC_SHA = EDH-RSA-DES-CBC-SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = EDH-RSA-DES-CBC3-SHA

    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = EXP-ADH-RC4-MD5
    SSL_DH_anon_WITH_RC4_128_MD5 = ADH-RC4-MD5
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = EXP-ADH-DES-CBC-SHA
    SSL_DH_anon_WITH_DES_CBC_SHA = ADH-DES-CBC-SHA
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = ADH-DES-CBC3-SHA

    SSL_FORTEZZA_KEA_WITH_NULL_SHA = Not implemented.
    SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = Not implemented.
    SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = Not implemented.

    TLS v1.0 cipher suites.

    TLS_RSA_WITH_NULL_MD5 = NULL-MD5
    TLS_RSA_WITH_NULL_SHA = NULL-SHA
    TLS_RSA_EXPORT_WITH_RC4_40_MD5 = EXP-RC4-MD5
    TLS_RSA_WITH_RC4_128_MD5 = RC4-MD5
    TLS_RSA_WITH_RC4_128_SHA = RC4-SHA
    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = EXP-RC2-CBC-MD5
    TLS_RSA_WITH_IDEA_CBC_SHA = IDEA-CBC-SHA
    TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-DES-CBC-SHA
    TLS_RSA_WITH_DES_CBC_SHA = DES-CBC-SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA = DES-CBC3-SHA

    TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = Not implemented.
    TLS_DH_DSS_WITH_DES_CBC_SHA = Not implemented.
    TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = Not implemented.
    TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = Not implemented.
    TLS_DH_RSA_WITH_DES_CBC_SHA = Not implemented.
    TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = Not implemented.
    TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-DSS-DES-CBC-SHA
    TLS_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-CBC-SHA
    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = EDH-DSS-DES-CBC3-SHA
    TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-RSA-DES-CBC-SHA
    TLS_DHE_RSA_WITH_DES_CBC_SHA = EDH-RSA-DES-CBC-SHA
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = EDH-RSA-DES-CBC3-SHA

    TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = EXP-ADH-RC4-MD5
    TLS_DH_anon_WITH_RC4_128_MD5 = ADH-RC4-MD5
    TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = EXP-ADH-DES-CBC-SHA
    TLS_DH_anon_WITH_DES_CBC_SHA = ADH-DES-CBC-SHA
    TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = ADH-DES-CBC3-SHA

    AES ciphersuites from RFC3268, extending TLS v1.0

    TLS_RSA_WITH_AES_128_CBC_SHA = AES128-SHA
    TLS_RSA_WITH_AES_256_CBC_SHA = AES256-SHA

    TLS_DH_DSS_WITH_AES_128_CBC_SHA = DH-DSS-AES128-SHA
    TLS_DH_DSS_WITH_AES_256_CBC_SHA = DH-DSS-AES256-SHA
    TLS_DH_RSA_WITH_AES_128_CBC_SHA = DH-RSA-AES128-SHA
    TLS_DH_RSA_WITH_AES_256_CBC_SHA = DH-RSA-AES256-SHA

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA = DHE-DSS-AES128-SHA
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA = DHE-DSS-AES256-SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA = DHE-RSA-AES128-SHA
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA = DHE-RSA-AES256-SHA

    TLS_DH_anon_WITH_AES_128_CBC_SHA = ADH-AES128-SHA
    TLS_DH_anon_WITH_AES_256_CBC_SHA = ADH-AES256-SHA

    Camellia ciphersuites from RFC4132, extending TLS v1.0

    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = CAMELLIA128-SHA
    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = CAMELLIA256-SHA

    TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = DH-DSS-CAMELLIA128-SHA
    TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = DH-DSS-CAMELLIA256-SHA
    TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = DH-RSA-CAMELLIA128-SHA
    TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = DH-RSA-CAMELLIA256-SHA

    TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = DHE-DSS-CAMELLIA128-SHA
    TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = DHE-DSS-CAMELLIA256-SHA
    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = DHE-RSA-CAMELLIA128-SHA
    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = DHE-RSA-CAMELLIA256-SHA

    TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = ADH-CAMELLIA128-SHA
    TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = ADH-CAMELLIA256-SHA

    SEED ciphersuites from RFC4162, extending TLS v1.0

    TLS_RSA_WITH_SEED_CBC_SHA = SEED-SHA

    TLS_DH_DSS_WITH_SEED_CBC_SHA = DH-DSS-SEED-SHA
    TLS_DH_RSA_WITH_SEED_CBC_SHA = DH-RSA-SEED-SHA

    TLS_DHE_DSS_WITH_SEED_CBC_SHA = DHE-DSS-SEED-SHA
    TLS_DHE_RSA_WITH_SEED_CBC_SHA = DHE-RSA-SEED-SHA

    TLS_DH_anon_WITH_SEED_CBC_SHA = ADH-SEED-SHA

    GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0

    Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the ccgost engine, included in the OpenSSL distribution.

    TLS_GOSTR341094_WITH_28147_CNT_IMIT = GOST94-GOST89-GOST89
    TLS_GOSTR341001_WITH_28147_CNT_IMIT = GOST2001-GOST89-GOST89
    TLS_GOSTR341094_WITH_NULL_GOSTR3411 = GOST94-NULL-GOST94
    TLS_GOSTR341001_WITH_NULL_GOSTR3411 = GOST2001-NULL-GOST94

    Additional Export 1024 and other cipher suites

    Note: these ciphers can also be used in SSL v3.

    TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = EXP1024-DES-CBC-SHA
    TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = EXP1024-RC4-SHA
    TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = EXP1024-DHE-DSS-DES-CBC-SHA
    TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = EXP1024-DHE-DSS-RC4-SHA
    TLS_DHE_DSS_WITH_RC4_128_SHA = DHE-DSS-RC4-SHA

    Elliptic curve cipher suites.

    TLS_ECDH_RSA_WITH_NULL_SHA = ECDH-RSA-NULL-SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA = ECDH-RSA-RC4-SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = ECDH-RSA-DES-CBC3-SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = ECDH-RSA-AES128-SHA
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = ECDH-RSA-AES256-SHA

    TLS_ECDH_ECDSA_WITH_NULL_SHA = ECDH-ECDSA-NULL-SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA = ECDH-ECDSA-RC4-SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = ECDH-ECDSA-DES-CBC3-SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = ECDH-ECDSA-AES128-SHA
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = ECDH-ECDSA-AES256-SHA

    TLS_ECDHE_RSA_WITH_NULL_SHA = ECDHE-RSA-NULL-SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA = ECDHE-RSA-RC4-SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = ECDHE-RSA-DES-CBC3-SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = ECDHE-RSA-AES128-SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = ECDHE-RSA-AES256-SHA

    TLS_ECDHE_ECDSA_WITH_NULL_SHA = ECDHE-ECDSA-NULL-SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = ECDHE-ECDSA-RC4-SHA
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = ECDHE-ECDSA-DES-CBC3-SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = ECDHE-ECDSA-AES128-SHA
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = ECDHE-ECDSA-AES256-SHA

    TLS_ECDH_anon_WITH_NULL_SHA = AECDH-NULL-SHA
    TLS_ECDH_anon_WITH_RC4_128_SHA = AECDH-RC4-SHA
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = AECDH-DES-CBC3-SHA
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA = AECDH-AES128-SHA
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA = AECDH-AES256-SHA

    TLS v1.2 cipher suites

    TLS_RSA_WITH_NULL_SHA256 = NULL-SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256 = AES128-SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256 = AES256-SHA256
    TLS_RSA_WITH_AES_128_GCM_SHA256 = AES128-GCM-SHA256
    TLS_RSA_WITH_AES_256_GCM_SHA384 = AES256-GCM-SHA384

    TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = DH-RSA-AES128-SHA256
    TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = DH-RSA-AES256-SHA256
    TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = DH-RSA-AES128-GCM-SHA256
    TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = DH-RSA-AES256-GCM-SHA384

    TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = DH-DSS-AES128-SHA256
    TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = DH-DSS-AES256-SHA256
    TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = DH-DSS-AES128-GCM-SHA256
    TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = DH-DSS-AES256-GCM-SHA384

    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = DHE-RSA-AES128-SHA256
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = DHE-RSA-AES256-SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = DHE-RSA-AES128-GCM-SHA256
    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = DHE-RSA-AES256-GCM-SHA384

    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = DHE-DSS-AES128-SHA256
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = DHE-DSS-AES256-SHA256
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = DHE-DSS-AES128-GCM-SHA256
    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = DHE-DSS-AES256-GCM-SHA384

    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = ECDH-RSA-AES128-SHA256
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = ECDH-RSA-AES256-SHA384
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = ECDH-RSA-AES128-GCM-SHA256
    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = ECDH-RSA-AES256-GCM-SHA384

    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = ECDH-ECDSA-AES128-SHA256
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = ECDH-ECDSA-AES256-SHA384
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = ECDH-ECDSA-AES128-GCM-SHA256
    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = ECDH-ECDSA-AES256-GCM-SHA384

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = ECDHE-RSA-AES128-SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = ECDHE-RSA-AES256-SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = ECDHE-RSA-AES128-GCM-SHA256
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = ECDHE-RSA-AES256-GCM-SHA384

    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = ECDHE-ECDSA-AES128-SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = ECDHE-ECDSA-AES256-SHA384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = ECDHE-ECDSA-AES128-GCM-SHA256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = ECDHE-ECDSA-AES256-GCM-SHA384

    TLS_DH_anon_WITH_AES_128_CBC_SHA256 = ADH-AES128-SHA256
    TLS_DH_anon_WITH_AES_256_CBC_SHA256 = ADH-AES256-SHA256
    TLS_DH_anon_WITH_AES_128_GCM_SHA256 = ADH-AES128-GCM-SHA256
    TLS_DH_anon_WITH_AES_256_GCM_SHA384 = ADH-AES256-GCM-SHA384

    Pre shared keying (PSK) cipheruites

    TLS_PSK_WITH_RC4_128_SHA = PSK-RC4-SHA
    TLS_PSK_WITH_3DES_EDE_CBC_SHA = PSK-3DES-EDE-CBC-SHA
    TLS_PSK_WITH_AES_128_CBC_SHA = PSK-AES128-CBC-SHA
    TLS_PSK_WITH_AES_256_CBC_SHA = PSK-AES256-CBC-SHA

    Deprecated SSL v2.0 cipher suites.

    SSL_CK_RC4_128_WITH_MD5 = RC4-MD5
    SSL_CK_RC4_128_EXPORT40_WITH_MD5 = Not implemented.
    SSL_CK_RC2_128_CBC_WITH_MD5 = RC2-CBC-MD5
    SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = Not implemented.
    SSL_CK_IDEA_128_CBC_WITH_MD5 = IDEA-CBC-MD5
    SSL_CK_DES_64_CBC_WITH_MD5 = Not implemented.
    SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = DES-CBC3-MD5

    Source: https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

    Reply

Leave a comment

BlogLogistics