I'm trying to add the following apache directive to one of my sites to prevent the use of SSL version 2.0: Code: SSLCipherSuite -SSLv2 I tried adding it in the "Apache Directives (Optional)" field on the "Basics" tab of the site, but I got this: "You cannot assign HTTPD Includes to this website." I tried editing Vhosts_ispconfig.conf manually, but when I restart Apache, that directive disappears. It seems to me that ISPConfig should probably write this into the vhosts config file for any sites using SSL as a security measure. In the meantime does anyone have any ideas for disabling SSLv2?
You cabn change the ISPConfig function named make_vhost in the file /root/ispconfig/scripts/lib/config.lib.php
You guys rock! Thanks! I'm very impressed with both ISPConfig, and the level of support you, Falko, and the rest of the community provide on the forums. I had the directive syntax munged in my original post for this thread. In case anyone wants to disable SSLv2 (has known vulnerabilities), this is what I added after the "SSLEngine on" directive in the make_vhost function: Code: SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL Just out of curiosity, is there a reason I was not able to add this directive through ISPConfig's "Apache Directives (Optional)" field for the site?
If you use that field, the directives will be added to the non-SSL vhost, too, which of course results in a syntax error.
