Disable TLS 1.0 + 1.1 and weak ciphers

Discussion in 'General' started by Th0m, Dec 5, 2019.

  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I'm trying to disable TLS 1.0 + 1.1 in Apache, and weak ciphers.

    I did the following:
    sudo -s
    nano /etc/apache2/mods-available/ssl.conf
    [..]
    # List the enable protocol levels with which clients will be able to
    # connect. Disable SSLv2 access by default:
    # SSLProtocol all -SSLv2 -SSLv3
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    [..]

    and
    [..]
    # List the ciphers that the client is permitted to negotiate.
    # See the mod_ssl documentation for a complete list.
    # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
    [..]
    CTRL + Y
    service apache2 restart

    But that didn't work when testing on SSLLabs so I edited the vhost for the website I was testing by commenting SSLProtocol out in the vhost. Restarted apache, rerun the test, but still no change.

    I'm using ISPConfig so I looked it up on the forum and howtoforge, the only page I found was the "How to secure your ISPConfig 3 server against the poodle SSL attack" article which didn't help.

    Am I missing something?
     
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    copy /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master

    edit the SSLProtocol lines in that file in the conf-custom folder (it appears twice), you can also change the ciphersuite in that file if you need to.
    also edit the SSLProtocol line ( and ciphersuite if required ) in /etc/apache2/sites-enabled/000-default-ssl.conf if you have one.
    the same for /etc/apache2/sites-enabled/000-ispconfig.vhost

    do this on all webservers, and on the server hosting the control panel interface if that's a separate server.

    in the control panel, resync all websites on all servers.
     
    Th0m likes this.
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Try Internet Search Engines with this:
    Code:
    site:howtoforge.com disable TLS 1.0
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Thanks! Didn't get the ciphersuite to work yet sadly.
     
  5. Steini86

    Steini86 Active Member

    If you are happy to use the same settings for all websites, I would suggest to delete the SSL entries from the template file (conf-custom). Then the settings in /etc/apache2/mods-available/ssl.conf will be used, so for the future there is only one place to adjust.
    What happens at the moment is, that the settings in ssl.conf get overwritten by the individual per-subhost settings. Removing these is the way to go, if all your websites should run the same config. Important: After changing the template file, you need to resync all websites

    Use mozilla configurator to get your wanted settings:
    https://ssl-config.mozilla.org/
     
    ahrasis likes this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I did something similar to this on my nginx server and it is easier to maintain.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Thanks for the help! I disabled it in the vhost and am now using ssl.conf :)
     
    Steini86 likes this.

Share This Page