TLS Changes in Version 68

In order to further our general goal of making cPanel & WHM as secure as possible out of the box, beginning with version 68 new installs will default to TLS 1.2, with TLS 1.1 and TLS 1.0 being disabled. You will be able to manually enable them if you need to after the install, but we’re defaulting to a more secure environment. Servers that have upgraded to version 68 will retain the existing settings until systems administrators change over to the new, more secure setting.

What is TLS?

The Transport Layer Security (TLS) protocol allows parties to communicate securely over a computer network. TLS ensures that the connection between a client and server remains private through encryption and, in some cases, public authentication. Over time, TLS (and its predecessor, SSL) has been updated to make sure your web browser is talking securely to the site you are browsing and making sure that website is who it says who it is.

Who will be impacted by updating to TLS 1.2?

A large majority of users will see no change; this transition should be seamless for them, as TLS 1.2 is supported by most modern browsers. There are, however, some stubborn old browsers that might run into issues, such as Internet Explorer 10 and below, as well as the Android Browser on KitKat (4.4.4) and below.
More information on browser support for TLS 1.2 is available here:

What will happen if I try to access the server with these old browsers?

If someone tries to access a TLS 1.2 server with an outdated browser or has security settings that limit them to 1.0 or 1.1, they may receive a generic “unable to connect” error that varies by browser. Internet Explorer will state “Internet Explorer cannot display the webpage” without much information to help the user dig deeper.

How do I manually re-enable TLS 1.1 and 1.0?

We don’t recommend falling back to TLS 1.0 and 1.1. We understand some users may need to do so, so there are options available with some modifications required. From version 68, using TLS 1.1 and 1.0 will require additional cipher suite changes. Information on adjusting your cipher suites is available on our cPanel Knowledge Base: How to Adjust Cipher Protocols

How will this work in the future?

While we can’t predict the exact future of web security, we’re already seeing the adoption of TLS 1.3 support by some browsers. TLS 1.3 is in draft at the time of writing, and necessary changes to cPanel & WHM are yet to be determined. If we do see changes may be necessary to the default settings, we’ll let people know and ensure the transition is as painless as possible.

Have ideas for future security changes to cPanel & WHM? Submit a feature request and let us know!

benny Vasquez

scripter, crafter, cPanel's Manager of Community Engagement. Facilitating communication between cPanel's amazing development team, and cPanel's amazing community. Find me on twitter: @cpaneldev

2 responses to “TLS Changes in Version 68”

  1. Mickey Molad says:

    Hi Scott,

    This change would actually affect all relevant protocols – email included. I can’t speak to the full impact just yet (will update the post next week with those details – I, too, could not find a good chart), but for Outlook, it is a mix as some versions and OS combinations will rely on your OS TLS settings, while others rely on things like WinHTTP. The good news is that there are patches available to update Windows 7 and Outlook itself to support TLS 1.2.

    Chris Schrimsher of Microsoft wrote up a good TechNet article that covers how this might work for a user:

    I’d love to have an easy to use chart like the one we provided for web browsers, so if you find one definitely let us know!

  2. Scott Neader says:

    Thanks for the information! You mentioned that TLS 1.2 will be the default on new WHM installations… but then further down, you only mentioned potential issues with web browsers. So, is the new TLS 1.2 default only for Apache? What about Email (Dovecot and Exim)? If TLS 1.2 is the only enabled cipher for email, then wouldn’t there be a lot more to consider than “stubborn old browsers”? Won’t we also need to figure out which email clients will and will not work with TLS 1.2? i.e. Can a customer with Outlook 2010 send and receive email with only TLS 1.2 enabled? I actually tried to find some type of chart online, listing email clients and which versions of SSL/TLS are supported, but could not find anything. Thoughts?

Leave a Reply