default ssl configuration

Discussion in 'Installation/Configuration' started by Poliman, Nov 3, 2017.

  1. Poliman

    Poliman Member

    Hi. I have two domains, both with le ssl, also both have default ssl configuration in VirtualHost 443. First one in ssllabs.com tests shows that has support for only TLS 1.2 but second one have for each TLS version. No idea why, because both in their configuration have
    Code:
    SSLProtocol All -SSLv2 -SSLv3
    The one with each TLS support is used as domain for ISP panel/ server hostname. Is it possible that something overwrite their configs?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I might not understand your question, but SSLProtocol is set in /etc/apache2/sites-enabled/000-ispconfig.vhost (on debian) for the ispconfig panel vhost.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Anything is possible. Which one is being overwritten? ISPC or other domain? Do check if you have an existing custom vhost set to override the default.
     
  4. Poliman

    Poliman Member

    I have few domains created under ISP. One is used for get LE SSL for ISP Panel. When I put their addresses in ssllabs.com due to test their ssl certs I have result:
    - domain used for provide ssl for ISP has rating A+ and in Protocols tab I see support (that they are turned on) for TLS 1.2, TLS 1.1, TLS 1.0 but in .vhost file for this domain I have config --> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    - other domain has config (default created by ISP after turning on LE SSL) --> SSLProtocol All -SSLv2 -SSLv3 - but in ssllabs.com test get of course A+ but in Protocols tab I see "yes" for only TLS 1.2

    I have default ispconfig vhost file, all files are default. And I don't get the difference. It's strange. Apache2 ssl.conf file also has setting --> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    PS
    000-ispconfig.vhost file has line (it's default, I don't change ISP files) --> SSLProtocol All -SSLv3
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    May need to go through your domain vhost files to be sure what've gone wrong as all my domains (on nginx server, not apache) don't have these problems so far.
     
  6. Poliman

    Poliman Member

    I didn't have these problems also but on ISP version 3.1.5. Then I updated to 3.1.7p1 and I have this strange thing. Hard to determine it depends from it or not. And it's really strange, because I have all default .vhost files but I will try check this one domain vhost file and compare with other files. :)

    PS
    I used BeyondCompare to compare two domains - without success. I can send you both files in PM if you would like to help find out what's wrong.
     
    Last edited: Nov 7, 2017
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What port do you access the control panel on, 8080 (or anything other than 443)? If so, the SSLProtocol setting in 000-ispconfig.vhost is what is in effect, not the setting for the port 443 vhost.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    ssllabs.com only check for port 443, which means you must have checked your ISPC domain and other domain on that port, not on 8080.

    That's why in the earlier reply I was curious on the vhost file of the other domain which only has TLS1.2 instead of all three like your ISPC domain.

    You may pm me but I can't promise on resolving this either.
     
  9. Poliman

    Poliman Member

    My ISP panel works on 8080 port but use domain which you have in last PM with s1 prefix. I used your tutorial to setup https for ISP panel. You know, domain created under ISP, turning on le ssl and ssl etc. Of course when I enter only domain without port in browser I have default index page generated by ISP, which is needed result. That's why I check domain vhost file not ISP vhost and therefore it's strange for me. :)

    PS
    I sent PM. ;)
     
    Last edited: Nov 8, 2017
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry I missed your SSL Protocol while reading your earlier posts, so try to change SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 to SSLProtocol All -SSLv2 -SSLv3 only as the earlier is the fault for disabling TLSv1 and TLSv1.1.

    As stated in my first reply, check if you have conf custom vhost that overrides the default vhost.conf.master because the default is the one I suggested as fix above, and yours is not.
     
  11. Poliman

    Poliman Member

    List of conf files from /etc/apache2/sites-enabled:
    Code:
    total 0
    lrwxrwxrwx 1 root root 39 Apr 14  2017 000-apps.vhost -> /etc/apache2/sites-available/apps.vhost
    lrwxrwxrwx 1 root root 35 Apr 13  2017 000-default.conf -> ../sites-available/000-default.conf
    lrwxrwxrwx 1 root root 43 Apr 14  2017 000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf
    lrwxrwxrwx 1 root root 44 Apr 14  2017 000-ispconfig.vhost -> /etc/apache2/sites-available/ispconfig.vhost
    lrwxrwxrwx 1 root root 54 Jun 22 11:26 100-domain1.com.vhost -> /etc/apache2/sites-available/domain1.com.vhost
    lrwxrwxrwx 1 root root 54 Oct 19 14:31 100-domain2.pl.vhost -> /etc/apache2/sites-available/domain2.pl.vhost
    lrwxrwxrwx 1 root root 54 Oct 16 14:42 100-domain3.pl.vhost -> /etc/apache2/sites-available/domain3.pl.vhost
    lrwxrwxrwx 1 root root 45 Oct 10 10:10 100-domain4.pl.vhost -> /etc/apache2/sites-available/domain4.pl.vhost
    lrwxrwxrwx 1 root root 47 Oct 10 13:16 100-domain5.pl.vhost -> /etc/apache2/sites-available/domain5.vhost
    lrwxrwxrwx 1 root root 50 Oct 27 09:30 100-domain6.vhost -> /etc/apache2/sites-available/domain6.vhost
    lrwxrwxrwx 1 root root 48 May 24 14:16 100-domain7.vhost -> /etc/apache2/sites-available/domain7.vhost
    lrwxrwxrwx 1 root root 48 Jul 19 06:55 100-domain8.pl.vhost -> /etc/apache2/sites-available/domain8.vhost
    lrwxrwxrwx 1 root root 49 Jun 27 15:05 100-s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 59 Sep 26 09:27 100-test1.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test1.s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 55 Jul 27 09:27 100-test2.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test2.s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 57 Sep 25 10:44 100-test3.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test3.s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 55 Sep  1 14:46 100-test4.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test4.s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 58 Sep  6 07:02 100-test5.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test5.s1.isplessldomain.net.vhost
    lrwxrwxrwx 1 root root 55 Sep  1 11:48 100-test6.s1.isplessldomain.net.vhost -> /etc/apache2/sites-available/test6.s1.isplessldomain.net.vhost
    PS
    I changed SSLProtocol as you mentioned in earlier post. :) Now I have like in each other .vhost files:
    Code:
    SSLProtocol All -SSLv2 -SSLv3
    In attachement I also added ssl.conf file from /etc/apache2/mods-enabled/

    I used command
    Code:
    grep -rn '/etc/apache2/' -e 'SSLProtocol'
    to find where is matched string SSLProtocol - only in files which I pasted above and in each of them it looks like:
    - for each domain .vhost -> SSLProtocol All -SSLv2 -SSLv3
    - for ispconfig.vhost -> SSLProtocol All -SSLv3
    - for /etc/apache2/mods-available/ssl.conf -> SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
     

    Attached Files:

    Last edited: Nov 10, 2017

Share This Page