I have previously removed less secure ciphers from WHM (Web Host Manager) however it has been a while and I want to learn how to fish, not be handed a fish.
The trouble seems to stem from the fact that there is little-to-no consistency in how ciphers are referenced or even where they are defined.
WHM Cipher Definitions
Ciphers seem to be listed in two places: Exim Configuration Manager and Apache Configuration ⇨ Exim Configuration Manager.
- The Apache Configuration has a field “SSL/TLS Protocols” which is currently defined as
- The Exim Configuration Manager currently has a field “SSL/TLS Cipher Suite List” which is set to
Definition of Weak Ciphers
Here is the SSL Labs test for my domain. I have everything except TLS 1.2 and TLS 1.3 disabled and many less secure ciphers disabled. The test lists the following ciphers as being weak:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
I attempted to “translate” though after updating the values in both sections and running cPanel’s AutoSSL I still got the same results on the test.
Translating Cipher References
I attempted to reference the TLS 1.2 standard as well as some documentation from OpenSSL. I made numerous other search queries and spent hours reading through documentation, standards and forums without luck.
Here is my attempt to make the lists look more similar to each other:
From the Exim Configuration Manager:
From the SSL Labs Test to be removed:
The list says to remove two
ECDHE and the rest don’t have
ECDHE. In that example how do I remove something not defined? Secondly it suggests removing
CBC though that is not defined in the first list.
Desirable Answer Format
Learning is the detection of patterns so I’m really looking for an answer with a table where column A lists the ciphers from the SSL Labs test and column B references how they are referenced (to be defined (for stronger ciphers) and disabled for weaker ciphers). Just enough that I can detect the pattern of how the test references the same ciphers as Apache (or whichever software directly handles all of this). A good reference URL with such a table (and where on the page if it’s more than just a few paragraphs) would be very helpful.
It would also be incredibly useful to know how to have the server define a preferred cipher and to know which is considered the strongest if possible please.