Search our site for answers
Help Docs Security Overview TLS Hardening Managing TLS protocols and cipher suites on your server

Managing TLS protocols and cipher suites on your server

Learn how to configure TLS/SSL protocols and ciphers for Apache, FTP, and email on cPanel, Plesk, & InterWorx servers to enhance security and meet PCI compliance.
Control Panel Security SSL
13 min read

Transport Layer Security (TLS) protocols and cipher suites are fundamental to securing communications between your server and its clients (like web browsers, email clients, and FTP clients). Regularly reviewing and updating these configurations is crucial for protecting sensitive data and maintaining trust.

This article explains why managing your server’s TLS/SSL settings is important, common scenarios where you might need to make changes, and how to adjust these settings for various services on cPanel, Plesk, and InterWorx servers. We’ll also cover how to test your configurations.

The significance of TLS protocols and ciphers

TLS is the successor to SSL (Secure Sockets Layer) and provides a secure channel for network communication. It relies on:

  • TLS Protocols: These are the versions of the TLS standard (e.g., TLS 1.2, TLS 1.3). Newer versions offer enhanced security features and address vulnerabilities found in older ones.
  • Cipher Suites: A cipher suite is a set of algorithms used to secure a network connection through TLS. It typically includes algorithms for key exchange, bulk encryption, and message authentication.

Strong TLS configurations are vital for:

  • Data Encryption: Protecting data in transit from eavesdropping.
  • Authentication: Verifying the identity of the server (and sometimes the client).
  • Data Integrity: Ensuring that data has not been tampered with during transmission.

Use cases for modifying TLS/SSL settings

You might need to adjust your server’s TLS protocols and cipher suites in several situations:

  • PCI DSS Compliance: The Payment Card Industry Data Security Standard (PCI DSS) mandates strong encryption for transmitting cardholder data. Failing a PCI scan often means you need to disable older TLS protocols (like TLS 1.0 and 1.1) and remove weak cipher suites. Current PCI DSS guidelines generally require TLS 1.2 or higher.
  • Security Best Practices: As new vulnerabilities are discovered in older protocols or specific ciphers, it’s essential to update your configurations to use only currently secure options.
  • Internal Security Policies: Your organization may have its own security policies that require specific TLS versions and cipher suites.
  • Vulnerability Scans: Regular security audits or vulnerability scans (internal or external) might identify weak TLS configurations that need remediation.
  • Improving Security Scores: Online tools that grade your website’s SSL/TLS setup (like Qualys SSL Labs) can highlight areas for improvement, often involving disabling older protocols or ciphers.

Disabling outdated protocols like TLS 1.0 and TLS 1.1 is a common requirement, as they are known to have significant vulnerabilities. Similarly, certain cipher suites (e.g., those using RC4, 3DES, or anonymous Diffie-Hellman) are considered weak and should be disabled.

General considerations before making changes

Before modifying your TLS/SSL settings, keep these points in mind:

  • Backup Configurations: Always back up the relevant configuration files before making any changes. If something goes wrong, you can quickly revert to a working state.
  • Client Compatibility: Disabling older protocols or ciphers might affect compatibility with very old clients or operating systems that do not support modern encryption standards. Understand your user base and the potential impact. However, security should generally take precedence.
  • Restart Services: Most changes to TLS/SSL configurations require a restart of the affected service (e.g., Apache, FTP server, mail server) to take effect.
  • Refer to Official Documentation: While this guide provides general instructions, always consult the official documentation for your control panel and specific server software for the most accurate and up-to-date information on cipher suite syntax and recommended values. Security best practices evolve, so stay informed.

Modifying TLS/SSL settings

The methods for changing TLS protocols and cipher suites vary depending on your server’s control panel and the specific service you’re configuring.

Important Note on Cipher Suites: This article will guide you on where to make changes but will not provide specific cipher suite strings to copy and paste. Recommended cipher suites change over time as new vulnerabilities are discovered. You should consult current security best practices (e.g., from Mozilla, NIST, or your PCI compliance vendor) for strong cipher suite recommendations at the time of configuration.

cPanel & WHM

cPanel & WHM provide interfaces for managing many service configurations. For more fine-grained control, you might need to edit configuration files directly.

Apache (web server)

You can manage Apache’s SSL/TLS protocols and cipher suite server-wide through WHM.

  1. Log in to WHM as root.
  2. Navigate to Service Configuration » Apache Configuration » Global Configuration.
  3. In the SSL/TLS Protocols field, you can specify the desired protocols. For example, to enable TLS 1.2 and TLS 1.3 while disabling older versions, you might use an entry like: TLSv1.2 TLSv1.3 or All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1. Refer to Apache’s SSLProtocol directive documentation for the correct syntax.
  4. In the SSLCipherSuite field, you can input your preferred cipher suite string.
  5. Click Save.
  6. You will be prompted to Rebuild Configuration and Restart Apache.

FTP (ProFTPD or Pure-FTPd)

FTP server TLS settings are managed in WHM.

  1. Log in to WHM.
  2. Navigate to Service Configuration » FTP Server Configuration.
  3. You’ll find options for TLS Encryption Support, TLS Cipher Suite, and TLS Protocol (for ProFTPD).
  4. Adjust these settings as needed. For the cipher suite, enter a string compliant with OpenSSL cipher list format. For protocols, ensure only secure versions are enabled.
  5. Click Save. The FTP service will typically restart.

Email (Exim for SMTP, Dovecot for POP3/IMAP)

Mail server TLS settings can be adjusted in WHM.

  1. Log in to WHM.
  2. Navigate to Service Configuration » Exim Configuration Manager. Click the Advanced Editor tab.
  3. Search for options like tls_require_ciphers or openssl_options (for disabling protocol versions). You may need to add custom configuration snippets. For openssl_options, to disable TLSv1 and TLSv1.1, you might add something like +no_tls_v1 +no_tls_v1_1 to the existing value of an option such as IGNORE_SSL_OPTS or directly to openssl_options. Consult Exim documentation for precise syntax.
  4. For Dovecot (POP3/IMAP), navigate to Service Configuration » Mailserver Configuration.
  5. Here, you can set SSL Cipher List and SSL Minimum Protocol Version (e.g., TLSv1.2).
  6. Click Save Changes for both Exim and Dovecot. Services will be restarted.

cPanel/WHM/Webmail services (cpsrvd)

The SSL/TLS settings for the control panel services themselves can often be updated.

  1. Log in to WHM.
  2. Navigate to Service Configuration » cPanel Web Services Configuration.
  3. Adjust the TLS/SSL Cipher List or TLS/SSL Protocols as necessary.
  4. Click Save, which will also restart the necessary services.

Plesk

Plesk uses a combination of web server (Apache with Nginx as a reverse proxy often) and other services. Settings are managed via command line.

To see all available options:

plesk sbin sslmng --help

The current settings for each service can be viewed with:

plesk sbin sslmng --show-config

To only allow certain TLS versions for all services (such as TLS 1.2 and 1.3), you can use plesk bin server_pref -u (-u to update the configuration) run:

plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'

To specify a set of cipher suites for all services, you can run:

plesk bin server_pref -u -ssl-ciphers 'list:of:colon:separated:cipher:suites'

You can also make these changes to specific services, simply add --services along with the service name to the command, such as this example for postfix:

plesk sbin sslmng --services postfix --protocols 'TLSv1.2 TLSv1.3'

This services will depend on which are installed, but these are some of the common ones:

  • Apache
  • Nginx
  • Postfix
  • Dovecot
  • Proftpd
  • sw-cp-server (Plesk Interfaces)

InterWorx (NodeWorx & SiteWorx)

InterWorx uses NodeWorx for server-level administration and SiteWorx for individual website management.

Apache (Web Server)

Global Apache TLS settings can only be set via command line on InterWorx servers

  • Log into SSH as the root user.
  • The configuration file where SSL/TLS settings are stored is: /etc/httpd/conf.d/ssl.conf
  • The SSLProtocol line within that file defines which SSL/TLS Protocols can be used. Multiple versions can be specified by putting a space between each version, such as: SSLProtocol TLSv1.2 TLSv1.3
  • The SSLCipherSuite line within that file defines which Cipher Suites can be used.

When making changes to this file:

  • Be careful! An invalid configuration line can prevent Apache from starting and cause additional downtime.
  • Take a backup of the file before making changes.
  • After making changes, test the Apache configuration syntax with: httpd -t
  • If httpd -t returns Syntax OK, you are safe to restart Apache, which will take your changes into effect.
  • Restart Apache with the following command: systemctl restart httpd

FTP (Pure-FTPd)

InterWorx typically uses Pure-FTPd.

The TLSProtocol directive controls which SSL/TLS protocol versions ProFTPD will support.

  • Syntax: TLSProtocol <protocol> [<protocol> ...]
  • Supported Protocols: Common values include SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, and TLSv1.3. You can also use ALL to enable all supported protocols.
  • Disabling Protocols: You can explicitly disable protocols by prefixing them with a hyphen (-). For example, TLSProtocol TLSv1.2 TLSv1.3 would enable only TLS 1.2 and TLS 1.3. Another common practice is to allow all modern protocols and disable older, insecure ones: TLSProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1.

Important Considerations for configuring TLSProtocol:

  • Security: It’s crucial to disable older, vulnerable protocols like SSLv2, SSLv3, and early versions of TLS (TLSv1, TLSv1.1) if your clients support newer versions.
  • ProFTPD Version: TLSv1.3 support was added in later versions of ProFTPD (e.g., 1.3.7rc1 and newer). Ensure your ProFTPD version supports the protocols you intend to use. If you specify an unsupported protocol, ProFTPD might fail to start or not apply the setting as expected.
  • Client Compatibility: While aiming for the highest security, ensure that the protocols you enable are supported by the FTP clients that will connect to your server.

The TLSCipherSuite directive specifies the list of cryptographic ciphers that ProFTPD will offer to clients during the TLS handshake.

  • Syntax: TLSCipherSuite [<protocol_specifier>] <cipher_suite_string>
  • Cipher Suite String: This string uses OpenSSL cipher list format. You can specify individual ciphers, groups of ciphers (e.g., HIGH, MEDIUM), and disable ciphers using ! or -.
  • Protocol Specifier (for TLSv1.3): For ProFTPD versions that support it (e.g., 1.3.8 and newer), you can specify different cipher suites for different TLS protocol versions. For TLSv1.3, the ciphers are configured differently.

Important Considerations for TLSCipherSuite:

  • Security: Prioritize strong, modern ciphers and disable weak or compromised ones (like those using DES, RC4, MD5, or anonymous Diffie-Hellman).
  • OpenSSL: The available ciphers depend on the version of OpenSSL your ProFTPD is compiled against. You can often use the command openssl ciphers -v 'YOUR_CIPHER_STRING' to test and see the list of ciphers matched by your string.
  • Client Compatibility: Again, ensure that the cipher suites you enable are supported by connecting clients.
  • TLSv1.3 Ciphers: Remember that TLSv1.3 cipher suites are configured separately and have different names than those for TLSv1.2 and earlier. Check your ProFTPD version’s documentation for the correct syntax if you intend to use TLSv1.3-specific ciphers.

To Apply Changes:

  1. Locate Configuration File: Find your ProFTPD configuration file. It is typically located in: /etc/proftpd.conf
  2. Edit Configuration: Use a text editor (like nano, vim, or gedit) with appropriate permissions (usually root) to modify the TLSProtocol and TLSCipherSuite directives within the <IfModule mod_tls.c> ... </IfModule> block.
  3. Test Configuration: Before restarting, it’s highly recommended to test your ProFTPD configuration for syntax errors: proftpd -t
  4. Restart ProFTPD: If the configuration test passes, restart the ProFTPD service to apply the changes. The command to do this varies by system:
    sudo systemctl restart proftpd

Email (Qmail or Postfix/Exim, with Dovecot)

InterWorx mail server configuration can vary. It often uses Dovecot for POP/IMAP. The MTA could be Qmail, Postfix, or Exim.

  • Dovecot (POP3/IMAP):
    1. In NodeWorx, navigate to System Services » Mail Server » MDA Settings (Mail Delivery Agent, referring to Dovecot).
    2. Under Dovecot Global Settings, you should find options for SSL Minimum Protocol (e.g., select TLSv1.2) and SSL Cipher Suite.
    3. Enter your desired cipher suite string and select the minimum protocol.
    4. Click Update. Dovecot will be restarted.
  • MTA (SMTP – Qmail/Postfix/Exim): Configuration for the MTA’s TLS settings (protocols and ciphers) requires manual configuration file edits.
    • Qmail: Often involves setting environment variables or control files (e.g., /var/qmail/control/tlsserverciphers, /var/qmail/control/tlsclientciphers). The available protocols are usually tied to the OpenSSL version Qmail was compiled against and runtime flags.

InterWorx Panel (iworx-web)

The InterWorx control panel itself runs on its own web server (iworx-web).

  1. Log in to NodeWorx.
  2. Navigate to Server » SSL Certificates » InterWorx-SSL and click the pencil icon to edit.
  3. Edit the Cipher suite as needed and press Save.

Testing Your TLS/SSL Configuration

After making changes, it’s crucial to test your server’s configuration to ensure it’s working as expected and that insecure protocols/ciphers are disabled.

Using `openssl s_client`

The `openssl s_client` command is a versatile tool for testing SSL/TLS connections from the command line. You’ll need OpenSSL installed on your local machine or another server.

Check available protocols and ciphers for a web server (HTTPS on port 443):

openssl s_client -connect yourdomain.com:443

Look for “SSL-Session:” section, “Protocol” and “Cipher” lines.

Test a specific protocol version (e.g., TLS 1.2):

openssl s_client -connect yourdomain.com:443 -tls1_2

If the server supports TLS 1.2, the connection will succeed. If you try to connect with a disabled protocol (e.g., `-tls1` or `-tls1_1` after disabling them), the connection should fail or be refused.

Test a specific cipher (this is more complex as the client also needs to offer it):

openssl s_client -connect yourdomain.com:443 -cipher 'ECDHE-RSA-AES256-GCM-SHA384'

Replace with a cipher you expect to be enabled or disabled.

For other services:

FTP (FTPS, port 21 for explicit TLS, or 990 for implicit):

openssl s_client -connect yourdomain.com:21 -starttls ftp

SMTP (SMTPS, port 465 for implicit, or port 25/587 for explicit STARTTLS):

openssl s_client -connect mail.yourdomain.com:587 -starttls smtp openssl s_client -connect mail.yourdomain.com:465

POP3 (POP3S, port 995 for implicit, or 110 for explicit STARTTLS):

openssl s_client -connect mail.yourdomain.com:110 -starttls pop3 openssl s_client -connect mail.yourdomain.com:995

IMAP (IMAPS, port 993 for implicit, or 143 for explicit STARTTLS):

openssl s_client -connect mail.yourdomain.com:143 -starttls imap openssl s_client -connect mail.yourdomain.com:993

Using nmap to test

`nmap` is a powerful network scanner with scripts (NSE – Nmap Scripting Engine) for various checks.

Enumerate SSL/TLS ciphers for a specific port (e.g., HTTPS on port 443):

nmap --script ssl-enum-ciphers -p 443 yourdomain.com

This script will list the ciphers supported by the server for the specified port and grade them.

You can use this for other ports as well (e.g., `-p 21,25,110,143,465,587,990,993,995`). For services requiring STARTTLS, `nmap` often handles this automatically for common ports.

Online SSL/TLS Testing Tools

Several websites offer comprehensive SSL/TLS server tests. These tools can provide detailed reports on supported protocols, cipher suites, vulnerabilities, and overall configuration quality. Popular examples include Qualys SSL Labs, SSLShopper, and Geekflare SSL/TLS Test. These are excellent for verifying web server configurations.

Conclusion

Maintaining up-to-date and robust TLS protocols and cipher suites is an ongoing but critical aspect of server administration. By understanding where to configure these settings for your various services and how to test them, you can significantly enhance your server’s security posture, protect your users’ data, and meet compliance requirements like PCI DSS. Always refer to current security guidelines when choosing cipher suites and protocols.

Was this article helpful?