Clearification about Installing SSL

Discussion in 'Installation/Configuration' started by Atreides, Mar 18, 2015.

  1. Atreides

    Atreides Member

    Dear all, and Till :)

    My need is to install the SSL cerificate on my server where Ispconfig is installed, and to some Domains hosted.
    To achieve this I found this 2 articles thanks to the forum and I would like a confirmation about what I'm saying:

    1) When I wish to install the SSL on my ISPconfig server then I follow:

    2) When I wish to install the SSL on a domain in the ISPconfig server then I follow:

    Is is right until here?

    If I want to do 2), I've necessary do 1) first or it's indipendent?

    Thank you very much
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    yes. But the post in 2) does not apply to current ispconfig versions and will probably break your server. Adding a ssl cert is dead simpel. Just enable ssl in the website, go to the ssl tab, insert the details, select create certificate as action and press save, thats all to create a self signed cert. then take the csr that is shown in the csr field, let it sign by a ssl authority, cop the new cert into the cert field, select save certificate as action and press save. The process is describe din detail in the ispconfig manual incl. screenshots. In any case, do bot edit any config files, ispconfig code files or ssl cert files manually.

    thats independant.
  3. Atreides

    Atreides Member

    Thanks Till,

    I've successfully installed the SSL Certificate on my domain :) It's the 30 day trial Positive SSL.

    Using this tool I've noticed that some values are marked as "weak":

    TLS_ECDHE_RSA_WITH_RC4_128_SHA  (0xC011)    128    WEAK (RC4 )
    TLS_RSA_WITH_RC4_128_SHA  (0x5)    128    WEAK (RC4 )
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA  (0xC012)    112    WEAK (key size)
    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA  (0x16)    112    WEAK (key size)
    TLS_RSA_WITH_3DES_EDE_CBC_SHA  (0xA)    112    WEAK (key size)
    In the other domain with the same SSL, but hosted in a professional hosting, I have only 1 value marked as "weak":
    TLS_RSA_WITH_3DES_EDE_CBC_SHA  (0xA)    112
    Do you know if I should worry about it and how to increase the security since I will process credit cards in this domain name?

    Thanks a lot for the help!
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Hi, the default ssl ciphers of most linux distributons are not set that strictly to ensure that also older clients (browsers) can connect to them. If you wnat to have only strong ciphers, then you can find a good article here:

    The file where you add it depends on the Linux distribution that you use.
  5. Atreides

    Atreides Member

    Thanks Till,

    very interesting!
    Do you think the actual configuration I have it's enough secure or do you suggest me to work on it?
    What would you do if the server was yours?

    Thanks again!

Share This Page