Hi there, i would kindly ask you to point out how to add custom vhost mod_ssl entries like SSLCipherSuite and SSLProtocol. If i use the "Apache Directives" option and add something like : <IfModule mod_ssl.c> SSLEngine on SSLCertificateFile /var/www/clients/client0/web35/ssl/www.domain.com.crt SSLCertificateKeyFile /var/www/clients/client0/web35/ssl/www.domain.com.key SSLCACertificateFile /var/www/clients/client0/web35/ssl/www.domain.com.bundle SSLProtocol all -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS SSLHonorCipherOrder on SSLCompression off </IfModule> the entries cause and error so an ...vhost.err error file is created and the entries get ignored. The entries also appear in non ssl Vhost area. I am not sure if directive <IfModule mod_ssl.c> in that place causes the error or the double appearance. I would appreciate your reply in order not to change the vhost file every time upon ispconfig's update. Thank you very much. Kind Regards
Thank you for your reply. I thinkg ispconfig overrides these settings per vhost when you issue a certificate. I think i had already got : <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH </IfModule> So regardless the global settings this vhost will have it's own settings. Also some clients might want less strict settings like "modern" or "intermediate" ( https://wiki.mozilla.org/Security/Server_Side_TLS ) Regards
Current ispconfig versions do not set a cipher suite in the vhost, so you must either have a custom vhost master template where you set this or not a current ispconfig version.
I use ISPConfig 3.1.6 on Centos 7. I try to modify one host on Options for permit ISPConfig re-write .vhost file. After, .vhost file for domain has: Code: <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128\ -SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES12\ 8-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on I has not any custom file for vhosts. I only use Options for add values on vhosts, but I dont' use any templates. Also after Code: find /usr/local/ispconfig/server/conf/ -type f -exec grep -il SSLCipherSuite {} \; I see a file modifie today just after upgrade to this version Code: ls -lisa /usr/local/ispconfig/server/conf/vhost.conf.master 37039751 20 -rwxr-x--- 1 root root 18695 Oct 18 08:18 /usr/local/ispconfig/server/conf/vhost.conf.master Wit code: Code: <IfModule mod_ssl.c> <tmpl_if name='ssl_enabled'> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128\ -SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA\ -DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile <tmpl_var name='ssl_crt_file'> SSLCertificateKeyFile <tmpl_var name='ssl_key_file'> <tmpl_if name='has_bundle_cert'> <tmpl_if name='apache_version' op='<' value='2.4.8' format='version'> SSLCertificateChainFile <tmpl_var name='ssl_bundle_file'> </tmpl_if> <tmpl_if name='apache_version' op='>=' value='2.4' format='version'> SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </tmpl_if> </tmpl_if> </tmpl_if> </IfModule> You say "ISPConfig... blah blah... but this file is from ISPConfig" What it's wrong? Apreciate help.
This file does not set a cipher suite as I mentioned above, you can see that in the content you posted. You know what the # sign in front of a line in apache means? Seems not to be, google it. Beside that, you can not set SSL options on the options tab of the website as these options are set in the non ssl vhost as well. If you want to set a custom SSL cipher suite for your sites, then alter the default SSLCipherSuite setting of the Linux distribution (and that is never in an ISPConfig file or folder) or you use a custom template.
