CentrioHost Blog

Stories and News from IT Industry, Reviews & Tips | Technology Blog


HOW TO SET UP TLS ON CPANEL SERVERS

Transport Layer Security (TLS), and it’s older brother Secure Socket Layer (SSL) are cryptographic protocols that clients and servers use for secure communication over the Internet. Today’s industry standards, and really just common sense, strongly encourage the use of cryptography. This is especially important if you’re running a webshop or any kind of site that accepts credit card payments, as your site and server will have to be PCI compliant. In this article, we’ll see how to set up TLS protocols and ciphers for various services.

A FOREWORD

Luckily, cPanel is keeping up with industry standards. In version 72, they removed support for SSLv2, SSLv3 and TLSv1.0, with only TLSv1.2 being enabled by default. If you keep you system up to date, chances are high you won’t need to manually configure anything, except in the case you need backwards compatibility for older versions of web browsers and mail clients.

The services we’ll set up here use OpenSSL to provide both the protocols and ciphers that will be in use. Hence, if you’re configuring TLS manually, you’ll probably have to configure both.

APACHE (HTTPD SERVICE)

To configure TLS for Apache, i.e. your web server, go to WHM > Home > Service Configuration > Apache Configuration > Global Configuration. The protocol and cipher settings will be the first two in that interface:

This interface accepts a protocol string such as All -SSLv2 -SSLv3 . If you need to enable TLSv1.1, add either:

or

Setting up the cipher suite is where it gets tricky. On versions 68 and above, cPanel uses the following cipher suite for it’s default:

This should work fine for TLS 1.1 and 1.2, and is designed for more compatibility than security, but if you need to edit this, here are some general rules:

Usually, the client’s preference will be used when choosing the protocol and cipher that will be used when establishing a secure connection. If you want to use the server’s preference, add the following lines in /usr/local/apache/conf/includes/pre_virtualhost_global.conf  via CLI, or in Home > Service Configuration > Apache Configuration > Include Editor > Pre VirtualHost Include:

If you edited this file via CLI, you’ll have to rebuild httpd.conf with /scripts/rebuildhttpdconf  and restart Apache with service httpd restart  for these changes to take effect.

Each cipher can have one of the following prefixes:

  • none: add cipher to list
  • +: move matching ciphers to the current location in list
  • -: remove cipher from list (can be added later again)
  • !: kill cipher from list completely (can not be added later again)

Be wary of using the ! Prefix, as you won’t be able to add that cipher at a later time. By using these prefixes you can get really granular in setting up the cipher suite, and combined with the SSLHonorCipherOrder you can ensure the server will always use the strongest available cipher.

The following ciphjer suite list might be more secure than the default one:

but it’s possible you’ll have to play around with this to get the optimal amount of security vs backwards compatibility, that A score on Qualys, or to pass your PCI compliance scans.

EXIM (THE MAIL TRANSFER AGENT)

If you’re running a mail server, you’ll probably want all the mail clients to connect to it securely. The first thing you need to do is go to Home > Service Configuration > Exim Configuration Manager > Security tab, and turn on the option called Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server . This option will prevent non-secure connections.

As for the protocol setup, on versions 68 and above, the default setting is +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 so feel free to leave it at that. If you do need TLS 1.1 enabled, change the setting to

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

SatSunMonTueWedThuFri
 1
2345678
9101112131415
16171819202122
23242526272829
30 

Over 20000 Satisfied Customers!

  • web hosting reviewer
    Valerie Quinn
    CTO, Acteon Group

    Centriohost staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue! ~ . . . Read more

  • Joomla hosting reviewer
    Collin Bryan
    Photographer, Allister Freeman

    I'm using centrio for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly. ~ . . . Read more

  • dedicated server reviewer
    Harry Collett
    Actor, A&J Artists

    Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all. ~ . . . Read more

  • vps web hosting reviewer
    Porfirio Santos
    Technician, Diageo PLC

    Centrio support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Centriohost have been amazingly responsive and helpful to any of my queries 👍👍👍 ~ . . . Read more

  • wordpress hosting plans reviewer
    Catherine Auer
    Doctor, SmartClinics

    Anytime I've had a problem I can't solve, I've found Centriohost to be diligent and persistent. They simply won't let an issue go until the client is happy. ~ . . . Read more

  • reseller hosting reviewer
    Effectivo Social
    Freelancer, Fiverr

    Recommend their shared hosting for all my SME web design clients. Their cloud or VME offerings are too great to deal with. Pricing is perfect and suitable for all users (͠≖ ͜ʖ͠≖) 👌 ~ . . . Read more

Top