The only difference to default is that I have restricted cpanel web services and webdisk by disabling TLSv1_1 (as pere zeros and one)

Default Ciphers for cPanel 82.0.9

• I have used my fresh server install for this.
• There might be slight differences becasue my server company might of used an old cPanel image.
• This is a references list so if things stop working I can quickly revert back to defaults
• These settings as they are score an A on SSL labs

Apache

• Home »Service Configuration »Apache Configuration »Global Configuration » SSL Cipher Suite
  • Default: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • Custom: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • Default and custom are the same
• Home »Service Configuration »Apache Configuration »Global Configuration » SSL/TLS Protocols
  • Default: TLSv1.2
  • Default: TLSv1.2
  • Default and custom are the same

cPanel Web Disk

• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Cipher Suite
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
  • cPanel pre-installed: !SSLv23:!SSLv2:!SSLv3:!TLSv1

cPanel Web Services (cpanel/whm sub-domains etc..)

• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Cipher List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
  • cPanel pre-installed: SSLv23:!SSLv2:!SSLv3

Exim/Email

• Home »Service Configuration »Exim Configuration Manager »Options for OpenSSL
  • Default: +no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1
  • if the custom is the same as the default then the server selects default
• Home »Service Configuration »Exim Configuration Manager »SSL/TLS Cipher Suite List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS

FTP

• Home »Service Configuration »FTP Server Configuration »TLS Encryption Support
  • Default: Optional
  • Custom: Required (Command/Data)
• Home »Service Configuration »FTP Server Configuration »TLS Cipher Suite
  • Default: HIGH
• Home »Service Configuration »FTP Server Selection
  • Default: Pure-FTPD

Mailserver (Dovecot?)

• Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
  • Default: Yes
• Home »Service Configuration »Mailserver Configuration »SSL Cipher List
  • cPanel pre-installed: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
• Home »Service Configuration »Mailserver Configuration »SSL Minimum Protocol
  • cPanel pre-installed: TLSv1.2

My Changes for a more secure server

These are the current changes I have made. The rest of the relevant cipher settings are left as default

cPanel Web Disk

• Home »Service Configuration »cPanel Web Disk Configuration»TLS/SSL Protocols
  • zerosandones.co.uk: !SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

cPanel Web Services (cpanel/whm sub-domains etc..)

• Home »Service Configuration »cPanel Web Services Configuration»TLS/SSL Protocols
  • Zerosandones.co.uk: SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11

Mailserver (Dovecot?)

• Home »Service Configuration »Mailserver Configuration »Allow Plaintext Authentication (from remote clients)
  • Default: No

Notes

• cipher suites and settings are not moved when you do a cPanel server to server account transfer
• cPanel 82.0.9 only supports TLS1.2 for SSL.
• cPanel TLS1.3 support has not been added yet.
• General cipher information
  • Ciphers | OPENSSL.org
  • How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation
  • Introducing Zero Round Trip Time Resumption (0-RTT) - A new feature of TLS1.3
  • TLS Cipher String · OWASP Cheat Sheet Series
  • GitHub - OWASP/CheatSheetSeries: The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
  • TLSProtocol - ProFTPD
• 3rd party Cpanel Ciphers articles
  • SSL Labs A+ Rating - Ideal settings | cPanel Forums - some good links
  • Cipherli.st - Strong Ciphers for Apache, nginx and Lighttpd - Really strong cipher lists for the various cPanel technologies along with some good explanations.
  • Fixing Ciphers on cPanel Servers | GeekGhost Web Hosting and Domains - old
  • Getting an A+ rating on the Qualys SSL Test on all cPanel Domains - old because still has tls1.0 and tls1.1, does mention about configureing other cipher related settings on cPanel.
  • cPanel PCI Compliance - Zeros & Ones - covers all cipher areas and TLS/SSL but is out of date. I did takes some of the configurations but ignored the cipher suites. This setup is not that out of date but does need a refresh.
  • Getting an A+ rating on the Qualys SSL Test on all cPanel Domains - WebDesires - SSLLABS says there are issues with this but does give A+ for some reason, i.e. still has tls1.0 and tls1.1
• Cipher Tests
  • SSL Server Test (Powered by Qualys SSL Labs)
  • SSL Security Test | Scan Web and Email Server SSL TLS STARTTLS Encryption (ImmuniWeb)