Perfect Forward Secrecy (PFS) is a security measure that helps to ensure that a session key cannot be compromised if one of the long-term keys in its set is compromised at a later date. With PFS, if a single key is compromised, only data protected by that key has the potential to be compromised as well. This is a feature specific to SSL connections that is now a somewhat standard requirement for passing PCI scans.
Apache 2.4 has this ability built-in, but Apache 2.2 supports the PFS-required ciphers as of 2.2.26. To enable this, you’ll need to make a few adjustments to the main Apache template. First, you need to change the SSLCipherSuite value. You can adjust this in WHM -> Apache Configuration -> Global Configuration, in the SSL Cipher Suite box. Change this value to:
Then save the file. You can also adjust this in /var/cpanel/conf/apache/local.
From here, you will need to add an additional setting to tell Apache to honor the cipher order you just defined. To do this:
cp /var/cpanel/templates/apache2/main.default /var/cpanel/templates/apache2/main.local
If main.local already exists, just use the existing file.
look for “SSLCipherSuite” in the template, it will look something like this:
[% IF main.sslciphersuite.item.sslciphersuite.length %]SSLCipherSuite [% main.sslciphersuite.item.sslciphersuite %][% END %]
Above this, add the following line:
Save the file, then apply the settings:
service httpd restart
To confirm PFS is working, you can run an SSL test here: