{"id":360,"date":"2021-07-23T12:28:27","date_gmt":"2021-07-23T12:28:27","guid":{"rendered":"https:\/\/ssdsunucum.com\/blog\/how-to-update-ciphers-and-tls-protocols\/"},"modified":"2021-07-23T12:28:27","modified_gmt":"2021-07-23T12:28:27","slug":"how-to-update-ciphers-and-tls-protocols","status":"publish","type":"post","link":"https:\/\/ssdsunucum.com\/blog\/how-to-update-ciphers-and-tls-protocols\/","title":{"rendered":"How to Update Ciphers and TLS Protocols"},"content":{"rendered":"<\/p>\n
\n
\n
\n

Valid for versions 82 through the latest version<\/em><\/p>\n<\/div>\n

\n

Version:<\/h4>\n

82<\/h4>\n<\/div><\/div>\n
\n

Overview<\/h2>\n

Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL\u2019s protocols and cipher stacks for those services.<\/p>\n

About OpenSSL<\/h2>\n
\n
Note:<\/div>\n
\n

cPanel & WHM uses the base operating system-provided version of OpenSSL.<\/p>\n<\/p><\/div>\n<\/div>\n

OpenSSL defaults to settings that maximize compatibility at the expense of security. OpenSSL allows two primary settings: ciphers and protocols.<\/p>\n

    \n
  • A cipher refers to a specific encryption algorithm. This setting allows the user to enable or disable ciphers individually or by category.<\/li>\n
  • A protocol refers to the way in which the system uses ciphers. This setting allows the user to enable or disable individual protocols or categories of protocols.<\/li>\n<\/ul>\n

    Most attacks against SSL modify data as it travels between the client and the server in order to target weaknesses in specific ciphers. For example, the POODLE attack (CVE-2014-3566) targets weaknesses in the SSLv3 protocol.<\/p>\n

    Cipher settings<\/h2>\n
    \n
    Important:<\/div>\n
    \n
      \n
    • \n

      cPanel & WHM supports Transport Layer Security (TLS) protocol version 1.2 and Transport Layer Security (TLS) protocol version 1.3:<\/p>\n

        \n
      • Beginning in cPanel and WHM version 86, cPanel & WHM only<\/strong> supports TLSv1.2 or newer. The system also enables TLSv1.2 by default.<\/li>\n
      • Not all internet browsers or clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.<\/li>\n<\/ul>\n<\/li>\n
      • \n

        We strongly<\/strong> recommend that you do not<\/strong> adjust the cipher and protocol settings for the Exim and Dovecot services if you use Windows\u00ae 7 or MacOS\u00ae version 10.8 and earlier. Servers on these operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following mail clients:<\/p>\n

          \n
        • Outlook\u00ae 2007<\/li>\n
        • Outlook 2010<\/li>\n
        • MacMail\u00ae<\/li>\n<\/ul>\n<\/li>\n<\/ul><\/div>\n<\/div>\n

          You can find cPanel & WHM\u2019s default cipher settings and SSL protocols in WHM\u2019s cPanel Web Services Configuration<\/em> interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration<\/em>). If your configuration cannot use the default settings for the SSL protocol and cipher lists, you can override them on a service-by-service basis.<\/p>\n

          Configure service ciphers and protocols<\/h2>\n

          The following section lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL. For information about a specific service, read our Service Manager<\/em> documentation.<\/p>\n

          \n
          Note:<\/div>\n
          \n

          Some services use the string SSLv23<\/code> to represent what other services call ALL<\/code> for the protocol list. The example settings below demonstrate this difference on a service-by-service basis.<\/p>\n<\/p><\/div>\n<\/div>\n

          cPanel, WHM, and Webmail<\/h3>\n

          You can configure the cPanel, WHM, and Webmail interfaces\u2019 (cpsrvd<\/code>) service cipher and protocols lists with WHM\u2019s cPanel Web Services Configuration<\/em> interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration<\/em>).<\/p>\n

          This interface uses the SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1<\/code> style protocol syntax.<\/p>\n

          Web Disk<\/h3>\n

          You can configure the Web Disk service (cpdavd<\/code>) cipher and protocol lists with WHM\u2019s cPanel Web Disk Configuration<\/em> interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration<\/em>).<\/p>\n

          This interface uses the SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv1_1<\/code> style protocol syntax.<\/p>\n

          Dovecot<\/h3>\n

          You can configure the Dovecot mail service (imap<\/code> and pop3<\/code>) cipher and protocol lists with WHM\u2019s Mailserver Configuration<\/em> interface (WHM >> Home >> Service Configuration >> Mailserver Configuration<\/em>).<\/p>\n

          For protocols, this interface accepts a string that implies ALL<\/code> by default. For example, the !SSLv2 !SSLv3<\/code> string.<\/p>\n

          Apache<\/h3>\n

          You can configure the Apache\u00ae web service (httpd<\/code>) cipher and protocol WHM\u2019s Global Configuration<\/em> interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration<\/em>).<\/p>\n

          This interface accepts a protocol that resembles the All -SSLv2 -SSLv3<\/code> string.<\/p>\n

          \n
          Note:<\/div>\n
          \n

          If the selected SSL protocol or the version of OpenSSL that EasyApache 4 uses does not<\/strong> support a cipher, the system will display an error message.<\/p>\n<\/p><\/div>\n<\/div>\n

          Exim<\/h3>\n

          You can configure the Exim service (exim<\/code>) cipher and protocol lists with the Basic Editor<\/em> section of the Exim Configuration Manager<\/em> interface (WHM >> Home >> Service Configuration >> Exim Configuration Manager<\/em>).<\/p>\n

            \n
          • For ciphers, use the SSL\/TLS Cipher Suite List<\/em> text box.<\/li>\n
          • For protocols, use the Options for OpenSSL<\/em> text box. The protocol list accepts Exim-specific settings. For example, +no_sslv2 +no_sslv3<\/code>.<\/li>\n<\/ul><\/div>\n","protected":false},"excerpt":{"rendered":"

            Valid for versions 82 through the latest version Version: 82 Overview Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL\u2019s protocols and cipher stacks for those services. About OpenSSL Note: cPanel & …<\/p>\n","protected":false},"author":1,"featured_media":361,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/360"}],"collection":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/comments?post=360"}],"version-history":[{"count":0,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/posts\/360\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media\/361"}],"wp:attachment":[{"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/media?parent=360"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/categories?post=360"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ssdsunucum.com\/blog\/wp-json\/wp\/v2\/tags?post=360"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}