CentOS 5 TLS 1.2 support with cPanel/WHM

Since the Poodle vulnerability (SSLv3) a number of clients disabling SSLv3 on CentOS 5 breaks compatibility with external sites and applications such as WHMCS and PayPal IPN. This is because TLS1.0 will be the only supported method.

In order to support the TLS1.1 and TLS1.2 you can follow the steps below to force the use of the newer version of openssl:

First we need to get the latest openssl version (all links provided in this article are the latest at the time of writing)
wget 'http://www.openssl.org/source/openssl-1.0.1j.tar.gz'
tar -zxf openssl-1.0.1j.tar.gz
cd openssl-1.0.1j
./config shared -fPIC
make
make install

 

Install latest curl to /usr/local/ssl
rm -rf /opt/curlssl
wget 'http://curl.haxx.se/download/curl-7.38.0.tar.gz'
tar -zxf curl-7.38.0.tar.gz
cd curl-7.38.0
./configure --prefix=/opt/curlssl --with-ssl=/usr/local/ssl --enable-http --enable-ftp LDFLAGS=-L/usr/local/ssl/lib CPPFLAGS=-I/usr/local/ssl/include
make
make install

 

Now we need to configure EasyApache to use what we’ve done, we will do this by creating two files.

cd /var/cpanel/easy/apache/rawopts
touch all_php5
touch Apache2_4

 

Edit all_php5 in your favourite text editor
--enable-ssl
--with-ssl=/usr/local/ssl
--with-curl=/opt/curlssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include

 

Edit Apache2_4 in your favourite text editor
--with-ssl=/usr/local/ssl
LDFLAGS=-L/usr/local/ssl/lib
CPPFLAGS=-I/usr/local/ssl/include

 

Go into WHM goto EasyApache, Select build from current profile or customise as you require. Once completed you now have TLS 1.2 that will survive upgrades!

For forwarding secrecy and high encryption ratings add the following from WHM > Apache Configuration > Include Editor > Pre VirtualHost Include, choose either all versions or your current version and paste the below code into the box

SSLProtocol -SSLv2 -SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:AES128-GCM-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!NULL:!eNULL:!aNULL:!DSS:-LOW:RSA+RC4+SHA