Remove less secure ciphers from WHM by decrpyting different convoluted references to the same ciphers

I have previously removed less secure ciphers from WHM (Web Host Manager) however it has been a while and I want to learn how to fish, not be handed a fish.

The trouble seems to stem from the fact that there is little-to-no consistency in how ciphers are referenced or even where they are defined.

WHM Cipher Definitions

Ciphers seem to be listed in two places: Exim Configuration Manager and Apache Configuration ⇨ Exim Configuration Manager.

  • The Apache Configuration has a field “SSL/TLS Protocols” which is currently defined as ALL:!ADH:!AECDH:!EDH:!RC4:+HIGH:+MEDIUM:-LOW:-EXP.
  • The Exim Configuration Manager currently has a field “SSL/TLS Cipher Suite List” which is set to ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256.

Definition of Weak Ciphers

Here is the SSL Labs test for my domain. I have everything except TLS 1.2 and TLS 1.3 disabled and many less secure ciphers disabled. The test lists the following ciphers as being weak:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 

I attempted to “translate” though after updating the values in both sections and running cPanel’s AutoSSL I still got the same results on the test.

Translating Cipher References

I attempted to reference the TLS 1.2 standard as well as some documentation from OpenSSL. I made numerous other search queries and spent hours reading through documentation, standards and forums without luck.

Here is my attempt to make the lists look more similar to each other:

From the Exim Configuration Manager:

  • ECDHE_ECDSA_CHACHA20_POLY1305
  • ECDHE_RSA_AES128_GCM_SHA256
  • ECDHE_RSA_AES256_GCM_SHA384
  • ECDHE_RSA_AES128_SHA256
  • ECDHE_RSA_AES256_SHA384
  • ECDHE_RSA_CHACHA20_POLY1305

From the SSL Labs Test to be removed:

  • ECDHE_RSA_WITH_AES_128_CBC_SHA
  • ECDHE_RSA_WITH_AES_256_CBC_SHA
  • RSA_WITH_AES_128_GCM_SHA256
  • RSA_WITH_AES_256_GCM_SHA384
  • RSA_WITH_AES_128_CBC_SHA
  • RSA_WITH_AES_256_CBC_SHA

The list says to remove two ECDHE and the rest don’t have ECDHE. In that example how do I remove something not defined? Secondly it suggests removing CBC though that is not defined in the first list.

Desirable Answer Format

Learning is the detection of patterns so I’m really looking for an answer with a table where column A lists the ciphers from the SSL Labs test and column B references how they are referenced (to be defined (for stronger ciphers) and disabled for weaker ciphers). Just enough that I can detect the pattern of how the test references the same ciphers as Apache (or whichever software directly handles all of this). A good reference URL with such a table (and where on the page if it’s more than just a few paragraphs) would be very helpful.

It would also be incredibly useful to know how to have the server define a preferred cipher and to know which is considered the strongest if possible please.

How to get new players into a convoluted homebrew system?

I included relevant background to illustrate how convoluted the system can become, skip to the bottom if you just want to see the question.

I’ve gone off the deep end and broke everything by making a homebrew spell system that completely replaced the pathfinder system. Magic was initially destroyed in a cataclysm per my lore, and now everybody can use it as it is gaining more prevalence, though obviously melee classes will implement it differently than ranged.

It is based around a system of magic words that are combined to generate a desired effect: “burn” + an amplifier, ex: “three” results in an above average burning effect. These words can be chained together to create some pretty neat spells, and I’ve been kept on my toes by some players trying to abuse the literal wording of spells to teleport between planes using a conjuration ritual. The limiting factor is mana, both in terms of a maximum capacity that each player can use each day and in terms of per-round bandwidth. This means a player can only output X mana each round, so they must channel for more rounds if they want to use more modifying words, and have a hard cap on how much they can cast without resting. Additionally, they can make rituals, which effectively store magic over many days to power an exceedingly powerful spell, and can enchant items that automatically absorb mana, allowing X casts of a spell per day for free.

Players are able to learn the words as they are playing, and write combinations of these words down in physical spellbooks. To help facilitate this, I have ‘black pages’ that contain a ‘spell’ already written out (they obviously may or may not know what it does depending on what words they know) along with a single magic word and its definition in common. They insert these into their physical spell-books. I find that my players are much more engaged when they have to physically flip through a book, and it helps avoid those ‘quickly googling the wiki’ moments. Besides this, there is a real world analogue to preparing spells each week, since they must literally construct their spells and write them down for easy access during play, though the smartest players in my games have started memorizing words directly and making free-form spells mid combat, which I find to be a very cool way of showing both that they and their characters have grown.

These players are at a severe advantage because if they are able to overhear enemies casting, they are able to use a particular class of spells to counteract the effects as an interrupting action, assuming they know the words well enough to instantly cast the dispel.

That said, half of my old group dropped. Luckily one of my friends has three buddies who are interested in joining up with experience in RPGs ranging from none to fairly experienced with recent DnD rulesets. The remaining half of my party is used to the new system and highly engaged in it, but I’m concerned that the newbies will be put off or confused by the system, and I unfortunately don’t have time to do a multi-hour walk-through at this point.

So, how do I ease the new players into my convoluted homebrew system without neutering the fun of the rest of the party?