Overview
Most cPanel & WHM-managed services use OpenSSL to provide secure connections between client software and the server. This document lists the interfaces in cPanel & WHM in which you can adjust OpenSSL's protocols and cipher stacks for those services.
About OpenSSL
Note:
cPanel & WHM uses the version of OpenSSL that the base operating system provides.
OpenSSL defaults to settings that maximize compatibility at the expense of security. OpenSSL allows two primary settings: ciphers and protocols.
- A cipher refers to a specific encryption algorithm. This setting allows the user to enable or disable ciphers individually or by category.
- A protocol refers to the way in which the system uses ciphers. This setting allows the user to enable or disable individual protocols or categories of protocols.
Most attacks against SSL modify data as it travels between the client and the server in order to target weaknesses in specific ciphers. For example, the POODLE attack (CVE-2014-3566) targets weaknesses in the SSLv3 protocol.
cPanel & WHM cipher settings
By default, cPanel & WHM uses the following cipher list for web services:
Note:
To allow mail users to connect to your server with Microsoft Outlook® 2007 on Windows XP®, the following cipher will allow them to connect:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Microsoft no longer supports Windows XP or provides security updates for that operating system. We strongly recommend that your customers upgrade to a supported and secure operating system.
cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19, 11.46.0.9, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current protocol string defaults to the TLSv1.2
protocol.
If your configuration cannot use the default settings for the SSL protocol and cipher lists, you can override them on a service-by-service basis.
Important:
As of cPanel & WHM version 68, we only support Transport Layer Security (TLS) protocol version 1.2, and we enable TLSv1.2 by default.
- We will only support applications that use TLSv1.2 and strongly recommend that you enable TLSv1.2 on your server.
- We strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot® services if you use Windows® 7 or MacOS® version 10.8 and earlier. Servers on these operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following email clients:
- Outlook® 2007
- Outlook 2010
- MacMail®
By default, cPanel & WHM uses the following cipher list for web services:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19, 11.46.0.9, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current default protocol string will resemble the following example:
All -SSLv2 -SSLv3
By default, cPanel & WHM uses the following cipher list for web services:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
cPanel & WHM configures most services to use secure protocol settings in builds 11.44.1.19, 11.46.0.9, and newer. If you need to configure the SSL protocol setting, we strongly recommend that you update to these supported builds. Then, confirm the protocol settings on a service-by-service basis. The current default protocol string will resemble the following example:
All -SSLv2 -SSLv3
Note:
Some services use the string SSLv23
to represent what other services call ALL
for the protocol list. The example settings below demonstrate this difference on a service-by-service basis.
The following table lists the interfaces and options in cPanel & WHM that allow you to configure the protocol and cipher lists for services that use OpenSSL:
Service | Cipher | Protocol |
---|---|---|
cPanel & WHM ( | Adjust the cipher string for the cPanel, WHM, and Webmail interfaces in WHM's cPanel Web Services Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Services Configuration). |
|
Web Disk ( | Adjust the cipher string for the Web Disk feature in WHM's cPanel Web Disk Configuration interface (WHM >> Home >> Service Configuration >> cPanel Web Disk Configuration). |
|
Courier | Adjust the cipher string for Courier mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration). Note: This interface provides separate settings for IMAP and POP3. Warning: We removed the Courier mail server in cPanel & WHM version 54. The Courier mail server only exists for cPanel & WHM version 11.52 and earlier. |
|
Dovecot | Adjust the cipher string for Dovecot mail services (IMAP or POP3) in WHM's Mailserver Configuration interface (WHM >> Home >> Service Configuration >> Mailserver Configuration). |
|
Apache | Adjust Apache's cipher string in WHM's Global Configuration interface (WHM >> Home >> Service Configuration >> Apache Configuration >> Global Configuration). |
|
Exim |
|
|
Additional documentation