Questions about the SSL certs generated by Lets Encrypt


#1

So I have a website and I generated the SSL certs for it using letsencrypt-auto. I’ve installed them and have been using them and it’s great. I noticed someone was trying to get into my server, a lot, using brute-force type attacks. So I installed this add-on software for cPanel / WHM called ConfigServer Firewall. It’s great. There’s a section where I can have it scan my whole server for vulnerabilities and I did that. I’ve been slowly fixing them. But I ran into one and I’m not sure what to do. It says:

Cipher list []. Due to weaknesses in the SSLv2 cipher you should disable SSLv2 in WHM > Apache Configuration > Global Configuration > SSLCipherSuite > Add -SSLv2 to SSLCipherSuite and/or remove +SSLv2. Do not forget to Save AND then Rebuild Configuration and Restart Apache, otherwise the changes will not take effect in httpd.conf

I understand the directions on how to disable the SSLv2 cipher. I don’t really know much about SSL certificates and DNS servers and stuff but I’m learning. I’m pretty sure the certs I generated are using the TLS 1.2. I’m sorry if this is a dumb question, but am I right on that? These aren’t using the SSLv2 and SSLv3 cipher, right? I can safely disable those? Thanks!


#3

Certificates aren’t bound to any specific protocol. They’ll work just fine on TLS 1.2 as they would on SSLv2. You can disable or enable any protocol you wish. That said, I’d recommend disabling SSLv2 and SSLv3 unless you have very good reasons for using them, as they have inherent weaknesses that can compromise security.

I recommend using the configuration generator provided by Mozilla here, as it will give you a very good configuration at the Intermediate settings. Just make sure to put in the correct software versions.


#4

Thanks Motoko. I was confused, because the options ConfigServer Firewall told me to add to the Apache config were always in there, at least in the GUI. Turns out though I had to save it. I thought it was pulling them from the actual Apache’s httpd.conf file. I was wrong. I got it going good now.

I’m going to seek help on the cPanel forums because ConfigServer Firewall suggested I turn off Proxy Subdomains. I did that, but now I can’t go to places like whm.JetBBS.com. Gotta figure out how to set those manually, the correct way. Thanks for the help!