I'm trying to disable TLS 1.0 + 1.1 in Apache, and weak ciphers. I did the following: sudo -s nano /etc/apache2/mods-available/ssl.conf [..] # List the enable protocol levels with which clients will be able to # connect. Disable SSLv2 access by default: # SSLProtocol all -SSLv2 -SSLv3 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 [..] and [..] # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA SSLCipherSuite HIGH:!aNULL:!MD5:!3DES [..] CTRL + Y service apache2 restart But that didn't work when testing on SSLLabs so I edited the vhost for the website I was testing by commenting SSLProtocol out in the vhost. Restarted apache, rerun the test, but still no change. I'm using ISPConfig so I looked it up on the forum and howtoforge, the only page I found was the "How to secure your ISPConfig 3 server against the poodle SSL attack" article which didn't help. Am I missing something?
copy /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master edit the SSLProtocol lines in that file in the conf-custom folder (it appears twice), you can also change the ciphersuite in that file if you need to. also edit the SSLProtocol line ( and ciphersuite if required ) in /etc/apache2/sites-enabled/000-default-ssl.conf if you have one. the same for /etc/apache2/sites-enabled/000-ispconfig.vhost do this on all webservers, and on the server hosting the control panel interface if that's a separate server. in the control panel, resync all websites on all servers.
If you are happy to use the same settings for all websites, I would suggest to delete the SSL entries from the template file (conf-custom). Then the settings in /etc/apache2/mods-available/ssl.conf will be used, so for the future there is only one place to adjust. What happens at the moment is, that the settings in ssl.conf get overwritten by the individual per-subhost settings. Removing these is the way to go, if all your websites should run the same config. Important: After changing the template file, you need to resync all websites Use mozilla configurator to get your wanted settings: https://ssl-config.mozilla.org/