Dear all, and Till My need is to install the SSL cerificate on my server where Ispconfig is installed, and to some Domains hosted. To achieve this I found this 2 articles thanks to the forum and I would like a confirmation about what I'm saying: 1) When I wish to install the SSL on my ISPconfig server then I follow: https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl 2) When I wish to install the SSL on a domain in the ISPconfig server then I follow: https://www.howtoforge.com/community/threads/creating-a-ssl-certificate-quick-guide.42341/ Is is right until here? If I want to do 2), I've necessary do 1) first or it's indipendent? Thank you very much Best Simone
yes. But the post in 2) does not apply to current ispconfig versions and will probably break your server. Adding a ssl cert is dead simpel. Just enable ssl in the website, go to the ssl tab, insert the details, select create certificate as action and press save, thats all to create a self signed cert. then take the csr that is shown in the csr field, let it sign by a ssl authority, cop the new cert into the cert field, select save certificate as action and press save. The process is describe din detail in the ispconfig manual incl. screenshots. In any case, do bot edit any config files, ispconfig code files or ssl cert files manually. thats independant.
Thanks Till, I've successfully installed the SSL Certificate on my domain It's the 30 day trial Positive SSL. Using this tool I've noticed that some values are marked as "weak": https://sslanalyzer.comodoca.com/ Code: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xC011) 128 WEAK (RC4 ) TLS_RSA_WITH_RC4_128_SHA (0x5) 128 WEAK (RC4 ) TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xC012) 112 WEAK (key size) TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) 112 WEAK (key size) TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xA) 112 WEAK (key size) In the other domain with the same SSL, but hosted in a professional hosting, I have only 1 value marked as "weak": Code: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xA) 112 Do you know if I should worry about it and how to increase the security since I will process credit cards in this domain name? Thanks a lot for the help!
Hi, the default ssl ciphers of most linux distributons are not set that strictly to ensure that also older clients (browsers) can connect to them. If you wnat to have only strong ciphers, then you can find a good article here: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ The file where you add it depends on the Linux distribution that you use.
Thanks Till, very interesting! Do you think the actual configuration I have it's enough secure or do you suggest me to work on it? What would you do if the server was yours? Thanks again!
