How to Configure the Best TLS Settings in WHM: From A to A+
The COVID-19 pandemic forced organizations worldwide to turn to a work-from-home policy for the safety of their employees and the world at large. Keeping your website secure and your traffic encrypted during these times is crucial. Read our blog post to find out how to configure the optimal SSL/TLS encryption settings in WHM.
Enforcing the optimal SSL/TLS settings is a crucial task for a system administrator, since it influences not only website security but also the ranking on search engines such as Google. WHM offers by default quite strong security settings that are good enough for most use cases. However, it is possible to harden them even further and take advantage of the latest encryption features, in order to keep your domains as secure as possible.
First of all, let’s have a look at the default Apache settings in WHM. If you navigate to the Home » Service Configuration » Apache Configuration » Global Configuration menu, you will find these defaults:
Let’s test them using Qualys SSL Labs website, which is the most comprehensive free test available at the moment. The result is an overall rating of A, which is pretty good.
However, it is possible to improve this rating further, and get the maximum of A+. Let’s see how to accomplish that.
We will start by enabling TLS 1.3, which was added in version 86 of WHM. From the Apache configuration menu, edit the default SSL/TLS Protocols settings and add TLSv1.3. We recommend keeping TLS 1.2 active as well, for better compatibility with some older browsers. To achieve this, we need to disable all older protocols by adding this line: All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1.
Save your changes, rebuild configuration and restart Apache. Repeating the test at this stage will result in the same rating (A), but the TLS 1.3 support will be duly noted.
One more change is required for an A+ rating. In WHM, go to Home » Service Configuration » Apache Configuration » Include Editor and open the Pre Main Include section for All Versions.
Paste these three lines in the editor, then click on Update:
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS Header always set X-XSS-Protection "1; mode=block;" Header always set X-Content-Type-Options "nosniff"
Click on Restart Apache in the next window, then repeat the Qualys test.
Congratulations, your server now gets the maximum A+ encryption rating!
About the author
Dragos Baldescu is a Level 2 Technical Support Engineer at Bigstep, passionate about Linux and testing out new technologies and solutions.