Operating System & Version
centos 7
cPanel & WHM Version
11.108.0.14

themarty

Member
Dec 4, 2019
7
1
3
BkQy21l03A270YzMQp04
cPanel Access Level
Root Administrator
Cpanel's default support for secure parameters for Diffie-Hellman key exchange is not optimal, and even considered insufficient by some official organisations. See for example : IT Security Guidelines for Transport Layer Security (TLS)

That's why I want to increase them.

This is what I've tried so far; first I created new ones:

openssl dhparam -out dhparams-4096.pem 4096

And after that I tried to enable it for a specific domain as outlined in Modify Apache Virtual Hosts with Include Files | cPanel & WHM Documentation
I've added this to a configuration file:

SSLOpenSSLConfCmd DHParameters /etc/apache2/conf/dhparams-4096.pem

And also added a http header so I could check that the file was included (which I could see in the server response after I made the changed, rebuilt the config and restarted apache).

However when I run testssl (GitHub - drwetter/testssl.sh: Testing TLS/SSL encryption anywhere on any port) it still indicates that my DH is 2048

My openssl version is 1.0.2k-fips

What am I doing wrong?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
17,470
2,843
363
cPanel Access Level
Root Administrator
Hey there! It might be best to stick with openssl directly, instead of relying on custom tools to do the work for us.

If you run this command from your server, using a domain that is live on your machine:

Code:
openssl s_client -connect yourdomain.com:443 -cipher kEDH
what does this section of your server look like?

Code:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5151 bytes and written 368 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
If your output is similar to that, your system is secure and the issue is with that testing tool.
 

themarty

Member
Dec 4, 2019
7
1
3
BkQy21l03A270YzMQp04
cPanel Access Level
Root Administrator
what does this section of your server look like?

Code:
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4672 bytes and written 405 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
If your output is similar to that, your system is secure and the issue is with that testing tool.
'that' testing tools is widely regarded as one of the best ssl testing tools ;)
But, built on top of openssl, the raw output of openssl will of course always be more acurate
 
  • Like
Reactions: cPRex

themarty

Member
Dec 4, 2019
7
1
3
BkQy21l03A270YzMQp04
cPanel Access Level
Root Administrator
The solution is to do this:

Go to WHM > SSL/TLS Configuration
Change to 'ECDSA, P-384 (secp384r1)' - SSL certificates from AutoSSL will get attempt to get reissued with the new key type automatically.
(Instead of the 'ECDSA, P-384 (secp384r1)' you can also select another one)
 
Thread starter Similar threads Forum Replies Date
Nicola Urbinati Security 5