hi ! My server : Ubuntu 18.04 ispconfig : 3.1.15p2 i try to disactivate some old SSL protocol so i edit this file : etc/apache2/mods-available/ssl.conf with this : Code: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5:!3DES SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off Result of this command : Code: grep -R "SSLProtocol" /etc/ result : Code: /etc/apache2/sites-enabled/100-ns31573xx.ip-xx-xx-xxx.eu.vhost: SSLProtocol All -SSLv2 -SSLv3 /etc/apache2/sites-enabled/100-MYDOMAIN.com.vhost: SSLProtocol All -SSLv2 -SSLv3 /etc/apache2/sites-enabled/000-ispconfig.vhost: SSLProtocol All -SSLv3 /etc/apache2/sites-available/ispconfig.vhost: SSLProtocol All -SSLv3 /etc/apache2/sites-available/MYDOMAIN.com.vhost: SSLProtocol All -SSLv2 -SSLv3 /etc/apache2/sites-available/ns31xxxxx.ip-xx-xx-xxx.eu.vhost: SSLProtocol All -SSLv2 -SSLv3 /etc/apache2/mods-enabled/ssl.conf: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 /etc/apache2/mods-available/ssl.conf: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 Bug : - TLSv1 work with MYDOMAIN ==> All sites-available are generated by ISPCONFIG. so i will not edit the file directly, but where i have to change the SSLProtocol ? - Found a good value for SSLCipherSuite ==> i see a lot of differente value ... but i don't really understand. Thank's for you help
I trust you restarted apache after altering the config files? Have you tested with some ssl checker (Use Internet Search engines with term ssl checker) what protocol apache supports?
yes sure, i have restarted apache. i test ssl with : https://globalsign.ssllabs.com But as you can see the SSLProtocol parameter is different with all site-availables and i think if i edit a file in site-availables, ispconfig will generate it again after update.
copy /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master and make the required protocol changes in that file. you'll find the SSLProtocol line in two place, one just after Code: <tmpl_if name='ssl_enabled'> <tmpl_if name='enable_http2' op='==' value='y'> and another one just a bit further done, just after Code: <IfModule mod_ssl.c> <tmpl_if name='ssl_enabled'> if you create a new site, or resync the sites on this server, it'll recreate the vhost conf file including the changes made in this file.
There is no "best" parameter. It depends on the users you want to serve Use this as a guide: https://ssl-config.mozilla.org/ If you don't care about users with old browsers, then it is very easy: Code: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 TLS1.3 only supports "good" ciphers, therefore no need to specify them. If you need TLS1.2 (you probably want this), then this is (currently) recommended: Code: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 Since all the ciphers are considered as safe, it is now recommended to use "SSLHonorCipherOrder off" to let the client choose the cipher. (explanation: https://mastodon.at/@infosechandbook/102393205262657245) I deleted the SSLProtocol and SSLCipherSuite option from my vhost.conf.master and only use the server-wide option in ssl.conf. Personally, I would consider it a bug, that this essential value is overwritten by ispconfig (would only make sense, if you could set this option individually).
It was global for many years but this resulted in many complaints from users that the ispconfig vhost config does not set a cipher suite. Personally, I don't like the current setup as well and don't use it on my systems, its commented out. So it's not a bug, its a setting requested by many users which makes not much sense and which should be removed when you use a custom config.
could it not be an option in the gui? either on the ssl tab, or the domain tab hidden but appears when either the ssl or letsencrypt checkbox are selected. with the cipher set selected as enabled by default, with the default ciphers in a text field, so it can be edited or disabled as desired. (maybe with a warning that people *should* know what they're doing before they change anything in that text field) should probably also have a reset to default button as well, so the standard cipher set can be re-applied when some idiot inevitably messes it up. makes it effectively global by default, still allows overriding, and doesn't involve editing conf files. (and makes more work for the developers.... sorry Till. )
Just to make sure that I'm not doing anything wrong... I'm using nginx, not Apache, so the correct way to deal with this is to change the file /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master with (line 11 in my case): ssl_protocols TLSv1.3 TLSv1.2; and then resync all websites on the master?
If you are struggling with this not working as expected after hours and hours of changing, applying, checking, etc, check what SSLProtocol is in: /etc/letsencrypt/options-ssl-apache.conf I found this was overriding every SSLProtocol setting, everywhere else.
