HOW TO SET UP TLS ON CPANEL SERVERS

Transport Layer Security (TLS), and it’s older brother Secure Socket Layer (SSL) are cryptographic protocols that clients and servers use for secure communication over the Internet. Today’s industry standards, and really just common sense, strongly encourage the use of cryptography. This is especially important if you’re running a webshop or any kind of site that accepts credit card payments, as your site and server will have to be PCI compliant. In this article, we’ll see how to set up TLS protocols and ciphers for various services.

A FOREWORD

Luckily, cPanel is keeping up with industry standards. In version 72, they removed support for SSLv2, SSLv3 and TLSv1.0, with only TLSv1.2 being enabled by default. If you keep you system up to date, chances are high you won’t need to manually configure anything, except in the case you need backwards compatibility for older versions of web browsers and mail clients.

The services we’ll set up here use OpenSSL to provide both the protocols and ciphers that will be in use. Hence, if you’re configuring TLS manually, you’ll probably have to configure both.

APACHE (HTTPD SERVICE)

To configure TLS for Apache, i.e. your web server, go to WHM > Home > Service Configuration > Apache Configuration > Global Configuration. The protocol and cipher settings will be the first two in that interface:

This interface accepts a protocol string such as All -SSLv2 -SSLv3 . If you need to enable TLSv1.1, add either:

or

Setting up the cipher suite is where it gets tricky. On versions 68 and above, cPanel uses the following cipher suite for it’s default:

This should work fine for TLS 1.1 and 1.2, and is designed for more compatibility than security, but if you need to edit this, here are some general rules:

Usually, the client’s preference will be used when choosing the protocol and cipher that will be used when establishing a secure connection. If you want to use the server’s preference, add the following lines in /usr/local/apache/conf/includes/pre_virtualhost_global.conf  via CLI, or in Home > Service Configuration > Apache Configuration > Include Editor > Pre VirtualHost Include:

If you edited this file via CLI, you’ll have to rebuild httpd.conf with /scripts/rebuildhttpdconf  and restart Apache with service httpd restart  for these changes to take effect.

Each cipher can have one of the following prefixes:

  • none: add cipher to list
  • +: move matching ciphers to the current location in list
  • -: remove cipher from list (can be added later again)
  • !: kill cipher from list completely (can not be added later again)

Be wary of using the ! Prefix, as you won’t be able to add that cipher at a later time. By using these prefixes you can get really granular in setting up the cipher suite, and combined with the SSLHonorCipherOrder you can ensure the server will always use the strongest available cipher.

The following ciphjer suite list might be more secure than the default one:

but it’s possible you’ll have to play around with this to get the optimal amount of security vs backwards compatibility, that A score on Qualys, or to pass your PCI compliance scans.

EXIM (THE MAIL TRANSFER AGENT)

If you’re running a mail server, you’ll probably want all the mail clients to connect to it securely. The first thing you need to do is go to Home > Service Configuration > Exim Configuration Manager > Security tab, and turn on the option called Require clients to connect with SSL or issue the STARTTLS command before they are allowed to authenticate with the server . This option will prevent non-secure connections.

As for the protocol setup, on versions 68 and above, the default setting is +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 so feel free to leave it at that. If you do need TLS 1.1 enabled, change the setting to

Subscribe Now

10,000 successful online businessmen like to have our content directly delivered to their inbox. Subscribe to our newsletter!

Archive Calendar

Sat Sun Mon Tue Wed Thu Fri
 1
2345678
9101112131415
16171819202122
23242526272829
30  

Over 20000 Satisfied Customers!

From 24/7 support that acts as your extended team to incredibly fast website performance

Zelt staff were fantastic, I had a concern with a domain and they got back to me very quickly and they helped me to resolve the issue!

author
Technician, Diageo PLC

I'm using Zelt for my portfolio since 2006. The transition was seamless, the support was immediate, and everything works perfectly.

author
Photographer, Allister Freeman

Very easy to understand & use even though I am not very technologically minded. No complications whatsoever & I wouldn't hesitate to recommend it to all.

author
Actor, A&J Artists

Zelt support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Zelt have been amazingly responsive and helpful to any of my queries 👍👍👍

author
Technician, Diageo PLC

Anytime I've had a problem I can't solve, I've found Zelt to be diligent and persistent. They simply won't let an issue go until the client is happy.

author
Doctor, SmartClinics

Zelt support team have been amazingly responsive and helpful to any of my queries, thank you so much to the Zelt have been amazingly responsive and helpful to any of my queries 👍👍👍

author
Freelancer, Fiverr

24/7 World-Class Support

Ran into trouble? Contact our Customer Success team any time via live chat or email.

  • Receive professional WordPress support
  • Our specialists are available round
Get Support