Fixing Ciphers on cPanel Servers

First, you’ll want to test a SSL enabled site on the server at:

www.ssllabs.com

To get an A+ rating, follow the steps below.

  • First update Apache to 2.4 if it is not already on 2.4.
  • Go to Home >> Service Configuration >> Apache Configuration >> Global Configuration
    •  The first option is SSL Cipher Suite. If the server is running the latest version of cPanel, the default suite is correct. They should be the following
      • ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    • Make sure the SSL/TLS Protocol right under it is set to: All -SSLv2 -SSLv3
  • Go to Home >> Service Configuration >> Apache Configuration >> Include Editor
    Under Pre Main Include, replace whatever is there with the following:

SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
Click on Update and wait for it to prompt you to restart Apache.

Go to Home >> Service Configuration >> Apache Configuration >> Include Editor

Under Post Virtual Include, replace whatever is there with the following:

<IfModule mod_headers.c>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security “max-age=15768000; includeSubDomains”
</IfModule>

Click on Update and wait for it to prompt you to restart Apache.

That’s it. A new test using the link at the start of this will now yield an A+ rating.