This week I randomly found myself dealing with two sites that 'do things with Alpacas', both were using cPanel, both were looking at PCI compliance with the same Approved Scanning Vendor (ASV). In this case Trustwave... or PayPal by any other name.

For any host that needs to be delivering sensitive information - the work starts with deciding how to best protect that. So let's assume that this has been done - OR - in my case - you are presented with two cPanel hosts, and asked to make good.

If you can - get the email handled elsewhere.

If you are behind someone else's firewalls - TLS may simply not be an option for you if they are expecting PASV to be used. If that is the case turn off FTP, make sure it cannot be connected to, lock it down to the IP's that require it - and so on.

So yes - WHM access required - and get going....

// Apache

Apache configuration > Global Configuration
SSL/TLS Protocols
all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSL Cipher Suite
ALL:!ADH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:+HIGH:-MEDIUM:-LOW:-EXP
Save
Rebuild Configuration and Restart Apache

// Dovecot

Mailserver Configuration
SSL Protocols
!SSLv2 !SSLv3 !TLSv1 !TLSv1.1
Cypher Protocols
(This will upset older OS that will fail to connect as cyphers post date them).
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Save Changes

// cPanel's own services - WHM, cPanel, Webmail

cPanel Web Services Configuration
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11
Save

// Exim

Exim Configuration Manager
advanced editor
openssl_options
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
Save

// WebDisk, DAVFS, WebDisk, CalDav, CardDav

cPanel Web Disk Configuration
!SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

// Checking Our Work

The following at the console will show whether you are allowing any filthy TLSv1 or similar to occur. Easily done in a copy paste error. ASV scans take forever - so check what you can first:

nmap --script ssl-enum-ciphers -p 443 domain.com

nmap --script ssl-enum-ciphers -p 993 domain.com

nmap --script ssl-enum-ciphers -p 995 domain.com

nmap --script ssl-enum-ciphers -p 2087 domain.com

nmap --script ssl-enum-ciphers -p 2078 domain.com

nmap --script ssl-enum-ciphers -p 2083 domain.com

nmap --script ssl-enum-ciphers -p 2096 domain.com

nmap --script ssl-enum-ciphers -p 465 domain.com

// Note Well

Keep in mind that this was good at the time of the issue.... until the next great SSL terror... and the hope that the TLSv2 and the fledgeling TLSv3 will not be a liability a year or so down the line.

This is intended as an aide-memoire (as with many of these articles) so I don't have to rediscover things time after time. If it helps - great. If it needs correction - let me know. Cheers.

// References

http://mattjung.net/wiki/configuring-tls/

https://documentation.cpanel.net/display/CKB/How+to+Configure+Your+Firewall+for+cPanel+Services

https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols

https://documentation.cpanel.net/display/70Docs/The+set-tls-settings+Script