Enable TLS v1.3

This guide covers enabling TLSv1.3 with the intermediate configuration found on cPanel 86 and later.  TLSv1.3 is only available on cPanel servers running cPanel v11.86.0.4+.

TLSv1.3 is not available on Exim, Dovecot, FTP, or cpsrvd on CentOS. In order to use TLS v1.3 on these services, the the server's OS will need to be upgraded by reaching out to our support to request an OS upgrade to AlmaLinux. TLS v1.3 is provided on all services on AlmaLinux.

Enable on Apache

1. Log Into into Root WHM
2. Navigateto Apache Configuration, located in the Service Configuration section
3. Select Global Configuration
4. Under SSL/TLS Protocols, add +TLSv1.3 to the protocol list
   EXAMPLE: A full protocol list may look like all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3.
5. Click Save
6. Click Rebuild Configuration and Restart Apache

Enable on NGINX

NOTE: At this time, TLSv1.3 is already enabled on all up-to-date IMH-NGINX installs.

1. SSH into the server as root
2. If /opt/ngxconf/templates.local doesn't exist, copy the current NGINX templates folder

   cp -Rvp /opt/ngxconf/templates{,.local}

3. Edit/opt/ngxconf/config.yaml and update the templates folder used

   template_basepath: "/opt/ngxconf/templates.local"

4. Edit the default_server.j2 file in the templates.local folder
5. Update any occurrences of ssl_protocols and add TLSv1.3
   EXAMPLE: To enable TLSv1.2 and TLSv1.3, we would edit the ssl_protocols line to the following.
   

   ssl_protocols TLSv1.2 TLSv1.3;

   NOTE: Typically, ssl_protocols will occur twice in this file. Make sure to update both occurrences.
6. Rebuild NGINX by running the following

   ngxconf -Rrd --force