Issue: cPanel (version 78.0.21) powered server where a domain (Apache is in use) is showing a poor score on the Qualys SSL Labs report. In particular there are several weak cipher suites in use. Also weak protocols are in use. Also HTTP Strict Transport Security (HSTS), and DNS Certification Authority Authorization (CAA) are not in use. Both Comodo and Let’s Encrypt should be available.
Solution: Configure Apache to remove weaker ciphers and protocols. Note: Some weaker ciphers are required to enable older clients the ability to connect. Edit .htaccess file on the domain to force SSL and provide appropriate HSTS header for the domain. Configure CAA records in the DNS zone file for the domain. Let’s use an example domain name as the “example.com”
Step 1
In WHM navigate to: Home >> Service Configuration >> Apache Configuration >> Global Configuration
Do not use the default, instead enter the following within the “SSL Cipher Suite” option:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:HIGH:!aNULL!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4Within “SSL/TLS Protocols” do not use the default, instead enter:
All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1Within “LogLevel”, enter:
warnWithin “Trace Enable”, enter:
OffWithin “Server Signature”, enter:
OffWithin “Server Tokens”, enter: Product
OnlyClick “Save”, then click “Rebuild Configuration and Restart Apache”
Step 2
In WHM navigate to: Home >> Service Configuration >> Apache Configuration >> Include Editor
Within “Pre Main Include” the Apache version to select is: “All Versions”, then enter the following in the Global field:
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;"
SSLHonorCipherOrder onClick update, then click “Retsart Apache”
Step 3
For the specific domain, establish an SSH connection and navigate the the public_html directory. Edit the .htaccess file to enable the following:
Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#HSTS
Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" env=HTTPSStep 4
Edit the DNS zone record for the domain and add the following:
example.com. 1800 IN CAA 0 issuewild "comodoca.com"
example.com. 1800 IN CAA 0 issuewild "letsencrypt.org"
example.com. 1800 IN CAA 0 issue "comodoca.com"
example.com. 1800 IN CAA 0 issue "letsencrypt.org"
example.com. 1800 IN CAA 0 iodef "mailto:[email protected]Test the domain using the tool at: https://www.ssllabs.com/ssltest/
Note: You most probably use Apache with OpenSSL library. OpenSSL uses its own ciphers names, but SSL Labs test displays official standard TLS names. When you observer an SSL Labs cipher name (you would like to disable) such as: TLS_RSA_WITH_3DES_EDE_CBC_SHA, please look for theOpenSSL name here: https://www.openssl.org/docs/man1.0.2/apps/ciphers.html and you see it “translates” to the name DES-CBC3-SHA. To disable a cipher, add an exclaimation mark in fron of it like this example: !DES-CBC3-SHA
At this stage you may be able to have your domain (website) listed in the HTTP Strict Transport Security (HSTS) preload list. Several web browsers use this, including Firefox: https://hstspreload.org/
Further reading https://community.qualys.com/thread/17204-disabling-ciphers (Please see comment from “j-mailor” dated Apr 12, 2017 4:38 AM).
Also: https://webdesires.co.uk/knowledge-base/getting-an-a-rating-on-the-qualys-ssl-test-on-all-cpanel-domains/
As of May 02, 2019:
CIPHER SUITE NAMES
The following lists give the SSL or TLS cipher suites names from the relevant specification and their OpenSSL equivalents. It should be noted, that several cipher suite names do not include the authentication used, e.g. DES-CBC3-SHA. In these cases, RSA authentication is used.
SSL v3.0 cipher suites.
SSL_RSA_WITH_NULL_MD5 = NULL-MD5
SSL_RSA_WITH_NULL_SHA = NULL-SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5 = EXP-RC4-MD5
SSL_RSA_WITH_RC4_128_MD5 = RC4-MD5
SSL_RSA_WITH_RC4_128_SHA = RC4-SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = EXP-RC2-CBC-MD5
SSL_RSA_WITH_IDEA_CBC_SHA = IDEA-CBC-SHA
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-DES-CBC-SHA
SSL_RSA_WITH_DES_CBC_SHA = DES-CBC-SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA = DES-CBC3-SHA
SSL_DH_DSS_WITH_DES_CBC_SHA = DH-DSS-DES-CBC-SHA
SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA = DH-DSS-DES-CBC3-SHA
SSL_DH_RSA_WITH_DES_CBC_SHA = DH-RSA-DES-CBC-SHA
SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA = DH-RSA-DES-CBC3-SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-DSS-DES-CBC-SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-CBC-SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA = EDH-DSS-DES-CBC3-SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA = EDH-RSA-DES-CBC-SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA = EDH-RSA-DES-CBC3-SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 = EXP-ADH-RC4-MD5
SSL_DH_anon_WITH_RC4_128_MD5 = ADH-RC4-MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA = EXP-ADH-DES-CBC-SHA
SSL_DH_anon_WITH_DES_CBC_SHA = ADH-DES-CBC-SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA = ADH-DES-CBC3-SHA
SSL_FORTEZZA_KEA_WITH_NULL_SHA = Not implemented.
SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA = Not implemented.
SSL_FORTEZZA_KEA_WITH_RC4_128_SHA = Not implemented.
TLS v1.0 cipher suites.
TLS_RSA_WITH_NULL_MD5 = NULL-MD5
TLS_RSA_WITH_NULL_SHA = NULL-SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5 = EXP-RC4-MD5
TLS_RSA_WITH_RC4_128_MD5 = RC4-MD5
TLS_RSA_WITH_RC4_128_SHA = RC4-SHA
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 = EXP-RC2-CBC-MD5
TLS_RSA_WITH_IDEA_CBC_SHA = IDEA-CBC-SHA
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-DES-CBC-SHA
TLS_RSA_WITH_DES_CBC_SHA = DES-CBC-SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA = DES-CBC3-SHA
TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA = Not implemented.
TLS_DH_DSS_WITH_DES_CBC_SHA = Not implemented.
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA = Not implemented.
TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA = Not implemented.
TLS_DH_RSA_WITH_DES_CBC_SHA = Not implemented.
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA = Not implemented.
TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-DSS-DES-CBC-SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA = EDH-DSS-CBC-SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA = EDH-DSS-DES-CBC3-SHA
TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA = EXP-EDH-RSA-DES-CBC-SHA
TLS_DHE_RSA_WITH_DES_CBC_SHA = EDH-RSA-DES-CBC-SHA
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = EDH-RSA-DES-CBC3-SHA
TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 = EXP-ADH-RC4-MD5
TLS_DH_anon_WITH_RC4_128_MD5 = ADH-RC4-MD5
TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA = EXP-ADH-DES-CBC-SHA
TLS_DH_anon_WITH_DES_CBC_SHA = ADH-DES-CBC-SHA
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA = ADH-DES-CBC3-SHA
AES ciphersuites from RFC3268, extending TLS v1.0
TLS_RSA_WITH_AES_128_CBC_SHA = AES128-SHA
TLS_RSA_WITH_AES_256_CBC_SHA = AES256-SHA
TLS_DH_DSS_WITH_AES_128_CBC_SHA = DH-DSS-AES128-SHA
TLS_DH_DSS_WITH_AES_256_CBC_SHA = DH-DSS-AES256-SHA
TLS_DH_RSA_WITH_AES_128_CBC_SHA = DH-RSA-AES128-SHA
TLS_DH_RSA_WITH_AES_256_CBC_SHA = DH-RSA-AES256-SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA = DHE-DSS-AES128-SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA = DHE-DSS-AES256-SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA = DHE-RSA-AES128-SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA = DHE-RSA-AES256-SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA = ADH-AES128-SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA = ADH-AES256-SHA
Camellia ciphersuites from RFC4132, extending TLS v1.0
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA = CAMELLIA128-SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA = CAMELLIA256-SHA
TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA = DH-DSS-CAMELLIA128-SHA
TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA = DH-DSS-CAMELLIA256-SHA
TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA = DH-RSA-CAMELLIA128-SHA
TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA = DH-RSA-CAMELLIA256-SHA
TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA = DHE-DSS-CAMELLIA128-SHA
TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA = DHE-DSS-CAMELLIA256-SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = DHE-RSA-CAMELLIA128-SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = DHE-RSA-CAMELLIA256-SHA
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA = ADH-CAMELLIA128-SHA
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA = ADH-CAMELLIA256-SHA
SEED ciphersuites from RFC4162, extending TLS v1.0
TLS_RSA_WITH_SEED_CBC_SHA = SEED-SHA
TLS_DH_DSS_WITH_SEED_CBC_SHA = DH-DSS-SEED-SHA
TLS_DH_RSA_WITH_SEED_CBC_SHA = DH-RSA-SEED-SHA
TLS_DHE_DSS_WITH_SEED_CBC_SHA = DHE-DSS-SEED-SHA
TLS_DHE_RSA_WITH_SEED_CBC_SHA = DHE-RSA-SEED-SHA
TLS_DH_anon_WITH_SEED_CBC_SHA = ADH-SEED-SHA
GOST ciphersuites from draft-chudov-cryptopro-cptls, extending TLS v1.0
Note: these ciphers require an engine which including GOST cryptographic algorithms, such as the ccgost engine, included in the OpenSSL distribution.
TLS_GOSTR341094_WITH_28147_CNT_IMIT = GOST94-GOST89-GOST89
TLS_GOSTR341001_WITH_28147_CNT_IMIT = GOST2001-GOST89-GOST89
TLS_GOSTR341094_WITH_NULL_GOSTR3411 = GOST94-NULL-GOST94
TLS_GOSTR341001_WITH_NULL_GOSTR3411 = GOST2001-NULL-GOST94
Additional Export 1024 and other cipher suites
Note: these ciphers can also be used in SSL v3.
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA = EXP1024-DES-CBC-SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA = EXP1024-RC4-SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA = EXP1024-DHE-DSS-DES-CBC-SHA
TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA = EXP1024-DHE-DSS-RC4-SHA
TLS_DHE_DSS_WITH_RC4_128_SHA = DHE-DSS-RC4-SHA
Elliptic curve cipher suites.
TLS_ECDH_RSA_WITH_NULL_SHA = ECDH-RSA-NULL-SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA = ECDH-RSA-RC4-SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA = ECDH-RSA-DES-CBC3-SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA = ECDH-RSA-AES128-SHA
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA = ECDH-RSA-AES256-SHA
TLS_ECDH_ECDSA_WITH_NULL_SHA = ECDH-ECDSA-NULL-SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA = ECDH-ECDSA-RC4-SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA = ECDH-ECDSA-DES-CBC3-SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA = ECDH-ECDSA-AES128-SHA
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA = ECDH-ECDSA-AES256-SHA
TLS_ECDHE_RSA_WITH_NULL_SHA = ECDHE-RSA-NULL-SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA = ECDHE-RSA-RC4-SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA = ECDHE-RSA-DES-CBC3-SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA = ECDHE-RSA-AES128-SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA = ECDHE-RSA-AES256-SHA
TLS_ECDHE_ECDSA_WITH_NULL_SHA = ECDHE-ECDSA-NULL-SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA = ECDHE-ECDSA-RC4-SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA = ECDHE-ECDSA-DES-CBC3-SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA = ECDHE-ECDSA-AES128-SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA = ECDHE-ECDSA-AES256-SHA
TLS_ECDH_anon_WITH_NULL_SHA = AECDH-NULL-SHA
TLS_ECDH_anon_WITH_RC4_128_SHA = AECDH-RC4-SHA
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA = AECDH-DES-CBC3-SHA
TLS_ECDH_anon_WITH_AES_128_CBC_SHA = AECDH-AES128-SHA
TLS_ECDH_anon_WITH_AES_256_CBC_SHA = AECDH-AES256-SHA
TLS v1.2 cipher suites
TLS_RSA_WITH_NULL_SHA256 = NULL-SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256 = AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 = AES256-SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256 = AES128-GCM-SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384 = AES256-GCM-SHA384
TLS_DH_RSA_WITH_AES_128_CBC_SHA256 = DH-RSA-AES128-SHA256
TLS_DH_RSA_WITH_AES_256_CBC_SHA256 = DH-RSA-AES256-SHA256
TLS_DH_RSA_WITH_AES_128_GCM_SHA256 = DH-RSA-AES128-GCM-SHA256
TLS_DH_RSA_WITH_AES_256_GCM_SHA384 = DH-RSA-AES256-GCM-SHA384
TLS_DH_DSS_WITH_AES_128_CBC_SHA256 = DH-DSS-AES128-SHA256
TLS_DH_DSS_WITH_AES_256_CBC_SHA256 = DH-DSS-AES256-SHA256
TLS_DH_DSS_WITH_AES_128_GCM_SHA256 = DH-DSS-AES128-GCM-SHA256
TLS_DH_DSS_WITH_AES_256_GCM_SHA384 = DH-DSS-AES256-GCM-SHA384
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 = DHE-RSA-AES128-SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 = DHE-RSA-AES256-SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 = DHE-RSA-AES128-GCM-SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 = DHE-RSA-AES256-GCM-SHA384
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 = DHE-DSS-AES128-SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 = DHE-DSS-AES256-SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 = DHE-DSS-AES128-GCM-SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 = DHE-DSS-AES256-GCM-SHA384
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 = ECDH-RSA-AES128-SHA256
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 = ECDH-RSA-AES256-SHA384
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 = ECDH-RSA-AES128-GCM-SHA256
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 = ECDH-RSA-AES256-GCM-SHA384
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 = ECDH-ECDSA-AES128-SHA256
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 = ECDH-ECDSA-AES256-SHA384
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 = ECDH-ECDSA-AES128-GCM-SHA256
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 = ECDH-ECDSA-AES256-GCM-SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 = ECDHE-RSA-AES128-SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 = ECDHE-RSA-AES256-SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 = ECDHE-RSA-AES128-GCM-SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = ECDHE-RSA-AES256-GCM-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 = ECDHE-ECDSA-AES128-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 = ECDHE-ECDSA-AES256-SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 = ECDHE-ECDSA-AES128-GCM-SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 = ECDHE-ECDSA-AES256-GCM-SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA256 = ADH-AES128-SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA256 = ADH-AES256-SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256 = ADH-AES128-GCM-SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384 = ADH-AES256-GCM-SHA384
Pre shared keying (PSK) cipheruites
TLS_PSK_WITH_RC4_128_SHA = PSK-RC4-SHA
TLS_PSK_WITH_3DES_EDE_CBC_SHA = PSK-3DES-EDE-CBC-SHA
TLS_PSK_WITH_AES_128_CBC_SHA = PSK-AES128-CBC-SHA
TLS_PSK_WITH_AES_256_CBC_SHA = PSK-AES256-CBC-SHA
Deprecated SSL v2.0 cipher suites.
SSL_CK_RC4_128_WITH_MD5 = RC4-MD5
SSL_CK_RC4_128_EXPORT40_WITH_MD5 = Not implemented.
SSL_CK_RC2_128_CBC_WITH_MD5 = RC2-CBC-MD5
SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5 = Not implemented.
SSL_CK_IDEA_128_CBC_WITH_MD5 = IDEA-CBC-MD5
SSL_CK_DES_64_CBC_WITH_MD5 = Not implemented.
SSL_CK_DES_192_EDE3_CBC_WITH_MD5 = DES-CBC3-MD5
Source: https://www.openssl.org/docs/man1.0.2/man1/ciphers.html