How do we disable tsl 1.0 and 1.1 for ISPC on Debian for all sites/vhosts? SSLLabs will start downgrading servers with tls 1.0 and 1.1: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols " SSL Labs Grade Change To encourage users to migrate to protocol TLS 1.2+ and remove protocol TLS 1.1 and TLS 1.0 from servers, SSL Labs will lower the grade for SSL/TLS servers which use TLS 1.1 and TLS 1.0. TLS 1.0 Grade change date: A warning will be displayed for downgrading to grade “B” by end of September 2019 Grade will be changed to “B” by end of January 2020 TLS 1.1 Grade change date: In Configuration->Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018 A warning will be displayed for downgrading to grade “B” by end of September 2019 Grade will be changed to “B” by end of January 2020 "
I used Internet Search Engines with Code: How do we disable tsl 1.0 and 1.1 for ISPC on Debian for all sites/vhosts?
Thank you. So I use now Code: SSLProtocol TLSv1.2 in the ISPC templates. Also I run Code: for f in *.*; do sed -i 's/SSLProtocol All -SSLv2 -SSLv3/SSLProtocol TLSv1.2/g' "${f}" ; done in /etc/apache2/sites-available/ Now SSLLabs is happy again with A+
Consider using Code: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 which also enables TLS1.3 (if supported by your server) and newer protocols in the future. At least, you should enable TLS1.3 with: Code: SSLProtocol +TLSv1.3 +TLSv1.2 See https://ssl-config.mozilla.org/ for recommendations. I would suggest to remove these entries from the ispc templates. Then the value in the global file /etc/apache2/mods-enabled/ssl.conf is used. This makes it much easier to adjust the value in the future.
This is my vhost.conf.master in conf-custom which gives me A+ on ssllabs and 100% on https://en.internet.nl: http://paste.ubuntu.com/p/J4nVbkyVhz/ When you use the vhost.conf.master you can edit it, then use resync tool to have changes commited to all vhosts. Using it in the vhosts allows you to change it per vhost? Maybe someone doesnt want to be so modern?
That is what the OP successfully did. However, if you delete the settings from the from the vhost.conf.master file, the system wide setting is used which imho is easier to maintain. But you can do it as you like. The system wide setting is overwritten by the vhost.conf.master which is overwritten by the per host settings. In case of an unexpected result this is more difficult to debug (in my opinion). Be aware, that your config does not support TLS1.3 and you have to change that in the future, when ssllabs & co require TLS1.3. Would be good to support that anyway, as by now all modern clients support it.
Agreed. I'd prefer this aproach as well though currently I am still using the conf-custom. Haven't got time to visit my nginx servers for quite some times.
i think, it makes more sence to define a minimal tls version per vhost intead of changing the template.
https://en.internet.nl Though it would probably show up in English when you don't come from a NL ip address?
It shows up in english for me (on dutch IP adress), but that could be a cookie setting. Anyways, this test really puts your web (and mailserver) to a test. After some tweaking I was able to get 100% on both tests.
It's english for me, so I think it uses the browser settings as most pages. There are a lot of these tests out there and it is always important to understand what they are complaining and why. And to understand that these things change over time. This site for example recommends that the server enforces the cipher list. However, this is no longer best practice. Best practice today is to only use secure ciphers (was not the case in the past, as older clients did sometimes need old/unsafe ciphers) and let the client decide, which of the secure ciphers to use. For example, some mobile device have different capabilities to do encryption in hardware than desktop PCs and, therefore, would choose a different mechanism.
How did you manage to setup DANE? I still waiting on a response https://www.howtoforge.com/community/threads/is-dane-tlsa-automated.83550/#post-398070
Sorry, just saw your post. Take a look at this: https://community.letsencrypt.org/t/making-a-dane-tlsa-to-work-with-le/2129
I got that working now. Though, i can only add 'subdomains' and not my root domain. Which is a little bit strange..
I only set this up for my mailserver, which has a subdomain, so I didn't do anything with the root domain.
