SSL - Forward Secrecy (or Perfect Forward Secrecy)

Discussion in 'Security' started by Chris.M, Aug 18, 2014.

  1. Chris.M

    Chris.M Member

    I was discussing this with a KH support crew member last week, actually. I recently decided to implement an SSL certificate on my personal website, and will be doing the same for another project at some point this week. Just for the hell of it, I ran the domain through the Qualys SSL Labs scan. The results were pleasing, with the exception of one little tidbit: the lack of Forward Secrecy support.

    Did a bit of research on how one would go about implementing Forward Secrecy, and it was something that I wasn't comfortable with doing. To make a long story short, the configuration that I want to use is apparently not compatible with cPanel servers. (For reference, this is the configuration I'm referring to.) Software compatibility-wise, everything seems to check out... but cPanel blocks the configuration itself. Didn't want to pursue this further at the time as it was really a low-priority matter, but it does intrigue me. Is this something that the folks over at cPanel are actively pursuing? Perhaps there's another way to go about enabling support for Forward Secrecy successfully?

    Curious to see if anyone else has stumbled into this. It doesn't seem to be necessary, but more of an added layer of security on top of everything else. And honestly, that's what I'm aiming for.

    Chris
     

    Attached Files:

  2. Dan

    Dan Moderator

    Morning Chris,

    I ran a quick search at the cPanel forums and came up with a few posts. This was the most recent one and cPanelMichael in post #4 talks about a feature request and a work around. I suggest going to the feature request and hitting the like button and maybe even taking a look at the work around.
     
    Chris.M likes this.
  3. Chris.M

    Chris.M Member

    Hey there Dan,

    Appreciate the provided link, and am glad to see that this is something that is being requested by fellow cPanel users. I'll look into that workaround and perhaps attempt to get it running. I'm still surprised this hasn't already been implemented as default functionality.

    Thanks again!
     
  4. Mark NYC

    Mark NYC New Member

    I ran into the same problem some time ago.

    If you use the right cipher suite, PFS should not be a problem - I use (found here):

    [PRE]ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK[/PRE]

    SSL Labs shows PFS working for most browsers...
     
    Chris.M likes this.
  5. Mark NYC

    Mark NYC New Member

    Hmmm, problem with formatting - cipher suite attached...
     

    Attached Files:

  6. Chris.M

    Chris.M Member

    Mark, this is fantastic. I'm going to give this a try within the next day or so. Thank you, sir!
     
  7. Mark NYC

    Mark NYC New Member

    You are welcome !

    I have received this from the guys of SSLPOINT (my ssl provider for some time now) - so credits go to them :)

    The above cipher suite is backward compatible up to XP / IE 6 (I use it because nearly 25% of internet users still use Windows XP and a tighter cipher suite would not work when they visit the sites of my clients).

    However, I received a second cipher suite from sslpoint - it provides a higher level of security, but does not work with XP - see attached. You may give it a try if you need a more hardened ssl setup...
     

    Attached Files:

    Chris.M likes this.

Share This Page