TLS Changes in WHM Version 68 And Issues

 

We all looking for more technology and changes in old versions so the cPanel is also looking for changes day by day. New cPanel & WHM version are come up with more secure form and beginning with version 68 new installs will default to TLS 1.2, with TLS 1.1 and TLS 1.0 being disabled. When in the case of old cPanel they use TLS 1.0 as the default one, always default versions are the most secure one so in the old version TLS 1.0 is more secure but in newer one, they use default as TLS 1.1 and TLS 1.2 so they are the most secure one for them. Servers that have upgraded to version 68 will retain the existing settings until systems administrators change over to the new, more secure setting.

Each newly released version of the protocol came and will come with its own improvements and/or new/deprecated features. SSL version one was never released, version two did but had some major flaws, SSL version 3 was a rewrite of version two (to fix these flaws) and TLS version 1 an improvement of SSL version 3. Since the release of TLS 1.0, the changes have been less significant, but never less important.

Before going to know the issues happens with the change in TLS protocol we can check what is TLS?

 

TLS

Transport Layer Security is a protocol that allows the parties to communicate securely over the computer network and it is a kind of security checker to ensure the security between the server and clients. We all know about the SSL (Secure Socket Layer), which is a protocol named as the predecessor of TLS.  A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. All web browsers have the ability to interact with secured sites so long as the site’s certificate is issued by a trusted CA.

 

Issues

Some of the sites will not work with the new version of TLS 1.1 and 1.2, TLS latest version is supported by most modern browsers. If someone tries to access a server which has TLS version 1.2/1.1 with an outdated browser, they will receive a general error message “Unable to connect” that varies by browser. Because of security we always recommended to use default versions of TLSv 1.1 and TLS v 1.2 in new cPanel, we don’t recommend falling back to TLS 1.0. But we understand in some cases users need to do so, so there are options available with some modifications required. It will be explained with the following example.

Example 1.

I have an application hosted on a server in one of our client’s offices (IP: xxx.xx.xx.xx) and that app connects to Bochica to send some alert emails.

The App is in PHP (Yii2 framework) and MySQL and uses Swift mailer transport to send emails. Everything was working fine but after the migration, we are getting the following error:

Swift_TransportException Expected response code 250 but got code 500 with the message “550 Access denied invalid HELO name.

The config for the swift transport in the app is:

‘components’ => [

‘mailer’ => [

‘class’ => ‘yii\swiftmailer\Mailer’,

‘viewPath’ => ‘@common/mail’,

‘transport’ => [

‘class’ => ‘Swift_SmtpTransport’,

‘host’ => ‘bochica.interservicios-ltda.com’,

‘username’ => ‘no-reply@interservicios.co’,

‘password’ => ‘[1nt3rs3rv1c10s.2016]’,

‘port’ => ’25’,

//’encryption’ => ‘ssl’,

],

‘useFileTransport’ => false,

],

What should it be?

Then we need to check the IP on exim_mainlog and could see the following errors:

>> grep xxx.xx.xx.xx /var/log/exim_mainlog

2018-12-29 14:51:23 SMTP connection from [xxx.xx.xx.xx]:4397 (TCP/IP connection count = 2)

2018-12-29 14:51:23 TLS error on connection from [xxx.xx.xx.xx]:4397 (SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

So when on the migration to a new version of cPanel will take default version of TLS as 1.1 instead of TLS 1.0 in the old cPanel. We have to make some changes in the configuration of Exim server and Dovecot server

1) Login to WHM.

2) Click on “Mailserver Configuration” from “Service Configuration”.

3) Disable/ remove TLSv 1.1 and TLSv1 1.2 SSL Protocols and enable default TLSv in old cPanel.

 

The changes need to apply on the Exim server are:

1) Login to WHM

2) Click on “Exim Configuration Manager” from “Service Configuration”.

3) Remove the latest version of SSL (+no_sslv2 +no_sslv3) from ” Options for OpenSSL” and add the old version (+no_sslv1) onto it.

Leave a Reply