Key Exchange Parameters

Discussion in 'Installation/Configuration' started by neumann, Jan 13, 2023.

  1. neumann

    neumann Member

    I get this response from internet.nl:
    Code:
    Key exchange parameters
    Verdict:
    Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.
    
    Technical details:
    Web server IP address    Affected parameters    Status
    185.10.222.159    DH-4096    insufficient
    My understandng is that when testing server on internet.nl, when testin a ispc environment, when testing the web server, the setting are done in /ets/apache2/mods-available/ssl-conf. (But isn't this reset everytime ispc is upgraded, and can that be avoided somehow)?

    And whenever I am testing the email setup with internet.nl, it is another place those ssl settings are stored, because they adhere to the certificate made for the ispc panel site. I don't know where this file is and what it is named.

    I haven't done much other than changing the Ciphers as suggested elsewhere in this forum, and the cipherorder (for the web-part), to get green icons. But this last one I can't figure out for the e-mail part. Does anyone have some examples or ideas on what to do?
    Also when checkin email at same test site, I see to my horror that even though my server setup and ispc version is the absolut latest (ISPC 3.2.9 and ubuntu 22.04LTS) there is still TLS 1.0 and TLS 1.1 active on the certificate made for the server (the part active for the ispc control panel and the email system, which is not suggested for a modern server). Where and what should be changed, also in a way that the changes are not to be done everytime ispc is upgraded.
    Also in the same way how and where do I change the Ciphers (Algorithm selections) and also same question for Key Exchange Parameters.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    First, to say, your setup is currently fine, and you should not change anything. Of course, you can start chasing green batches from some test sites you find on the internet, I have seen several users doing this before, and the results are broken setups, lost emails, and so on. Nobody will hack or break your system due to using the default ciphers and TLS modes.

    But of course, if green batches are more important to you than a working and stable system that is compatible with most other devices on the internet, then go for it. The file /ets/apache2/mods-available/ssl-conf is from ubuntu, not ISPConfig, so ISPConfig will not alter it. When you alter the vhsot of the ISPConfig CP, then take care to also copy the file install/tpl/apache_ispconfig.vhost.master from ISPConfig tar.gz file to the folder /usr/local/ispconfig/server/conf-custom/install/ and alter it as well.
     
    ahrasis and pyte like this.
  3. neumann

    neumann Member

    Ok. Good to know. Thank you Till.
    I will probably just leave as it is. :)
     

Share This Page