Test of the certificate before the update we were A + and since the passage to version 3.2.2 we are in B
Have you restarted Apache after the changes? Can you post again your vhost file after the change? Do you have a /usr/local/ispconfig/server/conf-custom/vhost.conf.master file? If yes, backup and remove that file. Then do resync of web again.
I no longer modified the vhost file after the server upgrade to version 3.2.2. I don't understa nd why there is a hash in front of the line: #SSLCipherSuite and this in all vhosts with the SSLHonorCipherOrder option set to "on" then restarted the apache server. /usr/local/ispconfig/server/conf-custom/vhost.conf.master file? No, I don't have a custom file in /usr/local/ispconfig/server/conf-custom/vhost.conf.master but the one in /usr/local/ispconfig/server/conf/vhost.conf.master
Apache has default options for SSL if nothing is set. They get overwritten by options in file /etc/apache2/mods-enabled/ssl.conf. They again get overwritten by individual settings in vhost file. So if a line in vhost is commented out, the option in ssl.conf chosen. If it is commented out there, the default is used. In your apache config (in debian: /etc/apache2/apache.conf) is the order of the files. From top to bottom, while later ones overwrite previous options. Usually its like: 1) IncludeOptional mods-enabled/*.load 2) IncludeOptional mods-enabled/*.conf 3) Include ports.conf 4) IncludeOptional conf-enabled/*.conf 5) IncludeOptional sites-enabled/ So, as you see the file in mods-enabled is included before the vhost file in sites-enabled. If you include additional files somewhere (for example the manual letsencrypt file), then they will overwrite it
You have a typo in: Code: SSLProtocol -all +LSv1.2 You deactivate all protocols and add "LSv1.2" which is not a valid protocol. So, no useable protocol is found. That config is not from ispconfig, so you must have overwritten that somewhere. In general, you should use Code: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 that is more future proof. It supports TLSv1.2 and TLSv1.3 and all protocols that will be added in the future. Your current setting needs adjustment is a new protocol comes out and additionally only supports TLS1.2 which is slower als less secure than TLS1.3
Thank you very much for all these pressures it allowed me clearly to understand the order of loading of the apache files. I have two things that intrigue me when testing on the Qualys SSL Labs site: Overall Rating = B & Protocol Support = TLS 1.3 in "Protocol or cipher suite mismatch" error I have other sites hosted on other servers where the test gives with only TLS1.2 activated: Overall Rating = A + & no protocol mismatch or cipher suite error. Example : foad.ac-amiens.fr I can't understand where this slowness comes from in HTTPS mode
The slowness is caused by a misconfiguration to get the right TLS ciphers. That's why I'm wondering if the problem is a faulty HAProxy setup.
In the configuration of Haproxy version 1.5.8-3 + I have nothing in "global settings here" regarding SSL. If the last file read by apache and the vhosts, why can I not activate TLS 1.3 during my tests?
In your vhost, you have "SSLProtocol -all +LSv1.2". This should be "SSLProtocol -all +TLSv1.2" or even better "SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1". Fix this, restart Apache, and see what happens. Maybe this is a typo in your vhost.conf.master, do you have a custom one in /usr/local/ispconfig/server/conf-custom? (I wrote the part below first, but then saw this) It's just a step of troubleshooting to test this. I don't think it takes a lot of time testing this, especially to fix such an issue. It might seem unnecesary, but it can be such a small stupid thing that's the problem. Can you share your apache config (/etc/apache2/apache2.conf)?
Hello ! Thank you for your help ! After upgade of Ispconfig I made a: Go to tools -> resync services and resync your websites. Dans mon vhost: In the vhost in question: Code: <IfModule mod_ssl.c> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 Qualys, SSL Labs result for madeleine.michelis-amiens.lyc.ac-amiens.fr. Overall Rating = B Activated protocols: TLS 1.3 TLS 1.2 TLS 1.1 and TLS 1.0 However, the TLS 1.0 and TLS 1.0 protocols are disabled in the vhost. and always the Cipher Suites errors: "Protocol or cipher suite mismatch" No I have never customized / usr / local / ispconfig / server / conf-custom Attached is the apache2.con file
Does your HAProxy do the SSL termination? Then you have to change your HAProxy settings https://www.haproxy.com/blog/haproxy-ssl-termination/ It might be enough to update your HAProxy. This version is from 2016. TLS1.3 was defined in 2018. See here for instructions how to install newest version: https://haproxy.debian.net/ From your server, test your local web: Code: openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2 openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1 openssl s_client -crlf -connect 192.168.236.50:443 -tls1_0 If tls1_1 and tls1_0 are working, then it is an apache problem. If only tls1_2 is working, then apache is good and your haproxy is the problem.
No my haproxy does not support SSL. I am using SSL Pass-Through, which sends SSL connections for Ispconfig in transparent mode. I have nothing in "global settings here" regarding SSL. Indeed, the Haproxy 1.5 version does not support the TLS1.3 protocol. I do not have high availability on the hosting platform. When updating the haproxy to a newer version I am afraid that I will run into outdated options. Test performed using haproxy: return code: 20 (unable to get local issuer certificate) for all three protocols. Code: openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2 openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1 openssl s_client -crlf -connect 192.168.236.50:443 -tls1 Start Time: 1611503794 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) From another server for all three protocols (-tls1, -tls1_1, -tls1_2). the command returns me: Code: Start Time: 1611504800 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- closed
HAProxy Version 1.5 is unmaintained. This is a security problem: http://www.haproxy.org/ If your results differ, then HAProxy is messing with SSL. "unable to get local issuer certificate" sounds like a problem with your letsencrypt certificate I am not using hapoxy, but your configuration does not look like any of the examples I found with google. SSL passthrough seems to be done with "mode tcp", where you have "mode http". Best to look in the documentation. See also: https://community.ptc.com/t5/IoT-Tech-Tips/HAProxy-SSL-Passthrough-configuration/td-p/554395
Hello! The let's encrypt certificates are valid attached capture. F12 Development Tools> Security Code: Security overview This page is secure (valid HTTPS). Certificate - valid and trusted The connection to this site is using a valid, trusted server certificate issued by R3. View certificate Connection - secure connection settings The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM. Resources - all served securely All resources on this page are served securely. I confirm that we are in SSL-Passthrough mode TCP below extract from the configuration: Code: ### TLS 1.3 HAProxy avec SSL Pass-Through ### frontend panel3-https-Pass-Through # on demade à HaProxy de récupérer toutes les requêtes http (80) et https (443) ###bind 194.254.103.168:80 # pour les requêtes https, on fourni le ou les certificats bind 194.254.103.168:443 ### ssl crt /etc/haproxy/ssl/mon_certificat_ssl.pem crt /etc/haproxy/ssl/mon_certificat_ssl_2.pem mode tcp option tcplog backend panel3-in_https-Pass-Through mode tcp server panel3_https.in 192.168.236.50:443 check-ssl verify none ## send-proxy = option forwardfor When I got the error "unable to get local issuer certificate" this from my haproxy with the command: Code: openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2 From another server in the network this send back Verify return code: 0 (ok)[/CODE]
Are you sure the check-ssl option is what you want? https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.2-check-ssl If I now connect to your site, then it needs 10 seconds (some timeout of haproxy?) and then the site loads relatively quick. If it is a timeout, you should find something in your logs. For the openssl command from your haproxy, you might need to specify the servername, to get the right vhost .. (sorry, forgot about that) Code: openssl s_client -crlf -servername madeleine.michelis-amiens.lyc.ac-amiens.fr -connect 192.168.236.50:443 -tls1_2
