- As of cPanel & WHM version 68, cpanel only support Transport Layer Security (TLS) protocol version 1.2, and we enable TLSv1.2 by default.
- We will only support applications that use TLSv1.2 and strongly recommend that you enable TLSv1.2 on your server.
- The instructions in this document only pertain to servers that run the Windows 7 operating system.
- We strongly recommend that you do not adjust the cipher and protocol settings for the Exim and Dovecot services on Windows 7. Servers on this operating system fail PCI compliance scans because of unpatched security vulnerabilities that exist in the following email clients:
- Outlook 2007.
- Outlook 2010.
Create registry keys
Install Windows update
You must download and install the KB3140245 Windows update from the Microsoft Update Catalog. This update will create the registry key paths in which you will create new registry keys. These registry keys will allow you to enable TLSv1.2 on your server.
After you download and install the update, you must restart your computer for the changes to take effect.
Add a registry key for Windows HTTP services
To add a registry key for Windows HTTP services, perform the following steps:
- From the Windows Start menu, enter regedit.exe in the Search text box.
- Click regedit.exe to open the Registry Editor.
- Navigate to the following registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings - Select the
WinHttpkey. - From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.Note: On 64-bit systems, click QWORD (64-bit) Value.
- Enter
DefaultSecureProtocolsas the DWORD value’s name. - Right-click the file and select Modify from the Context menu.
- Enter
A00in the Value Data text box and click OK.
Important:
If your workstation runs on a 64-bit system, you must also perform steps 5-8 for the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp |
Add a registry key for the TLS directories
To add registry keys for TLS versions 1.1 and 1.2, perform the following steps:
- Navigate to the following registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1 - Select the
Clientkey. - From the Menu bar, click Edit, select New, and click DWORD (32-bit) Value.Reminder: On 64-bit systems, click QWORD (64-bit) Value.
- Enter
DisabledByDefaultas the DWORD value’s name. - Right-click the file and select Modify from the Context menu.
- Enter
0in the Value Data text box and click OK. - Navigate to the
TLS1.2registry path and open theClientkey. - Repeat steps 2-6 and click OK.
Apply the settings.
After you modify your registry keys, you must restart your workstation to apply the registry settings. When your workstation restarts, create a test email account in Microsoft Outlook and configure the following settings in the Advanced section of Microsoft Outlook’s Internet E-Mail Settings interface:
- Enter
993in the Incoming Server (IMAP) text box or995in the Incoming Server (POP3) text box. - Enter
465in the Outgoing Server (SMTP) text box.
After you finish, click OK. Your Microsoft Outlook account will now successfully connect to your cPanel server’s mail services.
Installation scripts
We created two scripts that will automatically perform the actions that this document describes. To use these scrtps, perform the following steps:
- Open the Windows PowerShell application.
- Navigate to the directory of you choice.
- Create the
install-kb.ps1andtls-reg-edit.ps1files. - Open the
install-kb.ps1file with a text editor and add the following information: Click to view… - Open the
tls-reg-edit.ps1file with a text editor and add the following information: Click to view… - Run the scripts from the directory in which you saved the files, for example:
Set-ExecutionPolicyBypass-ScopeProcess ; .\install-kb.ps1Set-ExecutionPolicyBypass-ScopeProcess ; .\tls-reg-edit.ps1 - Restart your workstation for the changes to take effect.