Perfect server Debian Jessie build, v 8.10 ispc3 v3.1.13 I am in the process of installing SSL on all the sites on this machine but I have come unstuck with the 1st. This accessible via http. ispC and phpMyAdmin and the mail system are using SSL ok. I have modified ssl.conf to disable SSLv2, TLS1 & TLS1.2 using the suggestions from Till's post. However Apache failed to restart because of the "SSLSessionTickets off" line. I disabled this and Apache restarted. I removed SSL and saved the site config in ispConfig then re-enabled and saved it again but still couldn't access the site with https. I checked the contents of "sites-available" and noticed that SSLv2, SSLv3, TLSv1 & TLSv1.2 were disabled! I edited the line to read "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" but still no luck. The <IfModule mod_ssl.c>code from ssl.conf and sites available is below. I did not understand the comments in ~/posts/369744 so maybe disabling "SSLSessionTickets off" was a bad idea! apachectl -V produced the following Code: apachectl -V AH00526: Syntax error on line 89 of /etc/apache2/mods-enabled/ssl.conf: Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration Action '-V' failed. The Apache error log may have more information. root@golf1:/home/itman# apt-cache policy openssl openssl: Installed: 1.0.1t-1+deb8u8 Candidate: 1.0.1t-1+deb8u9 Version table: 1.0.2l-1~bpo8+1 0 100 http://ftp.uk.debian.org/debian/ jessie-backports/main i386 Packages 1.0.1t-1+deb8u9 0 500 http://security.debian.org/ jessie/updates/main i386 Packages *** 1.0.1t-1+deb8u8 0 500 http://ftp.uk.debian.org/debian/ jessie/main i386 Packages 100 /var/lib/dpkg/status From ssl.conf: Code: <IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # (The mechanism dbm has known memory leaks and should not be used). #SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. # (Disabled by default, the global Mutex directive consolidates by default # this) #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. See the # ciphers(1) man page from the openssl package for list of all available # options. # Enable only secure ciphers: #SSLCipherSuite HIGH:!aNULL # SSL server cipher order preference: # Use server priorities for cipher algorithm choice. # Clients may prefer lower grade encryption. You should enable this # option if you want to enforce stronger encryption, and can afford # the CPU cost, and did not override SSLCipherSuite in a way that puts # insecure ciphers first. # Default: Off #SSLHonorCipherOrder on # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported #SSLProtocol all -SSLv3 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off #SSLInsecureRenegotiation on # Whether to forbid non-SNI clients to access name based virtual hosts. # Default: Off #SSLStrictSNIVHostCheck On # modern configuration, tweak to your needs SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off #SSLSessionTickets off # OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet From sites-available: Code: <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.2 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.crt SSLCertificateKeyFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.key SSLCertificateChainFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.bundle SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </IfModule>
