3

We are operating a few web servers that have WHM/cPanel installed so we can easily mange our sites and projects. To ensure our information and users information is secured, we have been running some security tests. All our servers currently supporting anonymous cypher suites; specifically:

TLS_ECDH_anon_WITH_RC4_128_SHA (0xc016)
TLS_ECDH_anon_WITH_AES_128_CBC_SHA (0xc018)
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA (0xc017)
                 and
TLS_ECDH_anon_WITH_AES_256_CBC_SHA (0xc019)

What is the best way to disable these without messing up our websites?

Improve this question

4 Answers 4

Reset to default
7

To add those directives to Apache via WHM you'd add them via :

Apache Configuration > Include Editor > Pre Main Include

and of course with the new issue with Poodle and disabling SSL v3 you'd probably want to make it :

SSLProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

However I believe you may also need to update the SSL Cipher suite settings within

Apache Configuration > Global Configuration > SSL Cipher Suite

to something like this :

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH:!aNULL

Certainly when I updated my servers to disable SSLv3 and also disable the ciphers that allow anonymous authentication, doing the first bit alone still showed my server as reported them as being available, but doing the second part as well fixed it.

Improve this answer
2
  • 2
    I can confirm that these steps mitigate POODLE on CentOS 6.5 running WHM / cPanel according to the Qualys SSL Labs SSL Server Test. Commented Oct 22, 2014 at 18:15
  • TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK 128 ; TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK 128 ; TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK 128 ; any ideas for theses one please? Commented Jan 17, 2015 at 5:28
1

When I looked at WHM > Service Configuration > Apache Configuration > Global Configuration > SSL Cipher Suite, I found that the entry allowed older SSL protocols. Simply selecting the default radio button and rebuilding the config file and restarting Apache server seemed sufficient to force the use of just four secure protocols, eliminating the protocols that had been displayed in orange.

I judged this by running the security tool https://sslanalyzer.comodoca.com/ on my website.

I wish the security specifications were simpler and less error-prone to specify in WHM.

With WHM, I like to select the default choices unless I have a good reason to specify something different.

Improve this answer
0
0

The easiest way is to edit your Apache configuration file and change some SSL directives.

Usually you can do it by change in SSLCipherSuite directive. The topic was discussed few times on StackExchange, i.e. here: “Optimal” Web Server SSL Cipher Suite Configuration.

Please see also SSL configuration for Apache for more details.

I hope it will help somehow.

EDIT:

Exemplary hardened configuration can look like that:

SSLProtocol ALL -SSLv2
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

However, please remember to adjust it to your needs.

Improve this answer
0

I suggest you to disable SSL2 and SSL3 and enable TLS

For WHM=> Apache Configuration => Include Editor => Pre Main Include

And Select ALL version

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

after all restart Apache

And if still Not supporting properly then I suggest you rebuild apache by Easyapache

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.