Here is a quick script for you to check if your cPanel/WHM server is vulnerable. Execute the following as root. If you get ANY cipher output, your server can be considered vulnerable.

for port in 21 443 465 993 995 2083 2087 2078 2096; do echo “Scanning $port”; for cipher in $(openssl ciphers -sslv3 ‘ALL:eNULL’ | sed -e ‘s/:/ /g’); do echo -n | openssl s_client -sslv3 -cipher “$cipher” -connect xxx.xxx.xxx.xxx:$port 2>&1 | grep -i “Cipher is”; done; done

Replace xxx.xxx.xxx.xxx with your server IP.

In cPanel/WHM, 7 services need to be secured; viz, HTTP, POP3, IMAP, FTP, SMTP, Control Panel, Web Disk. Here is how we disabled SSL 3.0 in our servers:

HTTP – Apache / Nginx

To fix Apache,

In WHM, go to Home >> Service Configuration >> Apache Configuration >> Global Configuration, and set the SSL Cipher Suite to the one below:

AES128+EECDH:AES128+EDH

Then go to Home >> Service Configuration >> Apache Configuration >> Include Editor, and include the following in Pre Main Include

SSLCipherSuite AES128+EECDH:AES128+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLSessionTickets Off
Header always set Strict-Transport-Security "max-age=63072000; 
includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off 
SSLUseStapling on 
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

Restart Apache.

To fix Nginx,

Go to Nginx configuration, and change the line:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

to

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Restart Nginx.

SMTP – Exim

In WHM, go to Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor, and change tls_require_ciphers to:

-ALL:-SSLv2:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

Restart Exim.

POP/IMAP – Courier-IMAP / Dovecot

In WHM, go to Home >> Service Configuration >> Mailserver Configuration, and change SSL Cipher List to:

-ALL:-SSLv2:!ADH:!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

FTP – Pure-FTP / Pro-FTP

In WHM, go to Home >> Service Configuration >> FTP Server Configuration, and change the TLS Cipher Suite to:

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

cPanel Web Services

In WHM, go to Home >> Service Configuration >> cPanel Web Services Configuration, and change TLS/SSL Cipher List to:

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5

cPanel Web Disk

In WHM, go to Home >> Service Configuration >> cPanel Web Disk Configuration, and changeTLS/SSL Cipher List to:

!aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5