Slow browsing in HTTPS

Test of the certificate before the update we were A + and since the passage to version 3.2.2 we are in B

 

Have you restarted Apache after the changes? Can you post again your vhost file after the change? Do you have a /usr/local/ispconfig/server/conf-custom/vhost.conf.master file? If yes, backup and remove that file. Then do resync of web again.

 

I no longer modified the vhost file after the server upgrade to version 3.2.2. I don't understa
nd why there is a hash in front of the line: #SSLCipherSuite and this in all vhosts with the SSLHonorCipherOrder option set to "on" then restarted the apache server.

/usr/local/ispconfig/server/conf-custom/vhost.conf.master file?
No, I don't have a custom file in /usr/local/ispconfig/server/conf-custom/vhost.conf.master but the one in /usr/local/ispconfig/server/conf/vhost.conf.master

 

Attached vhost file in question.

 

Apache has default options for SSL if nothing is set. They get overwritten by options in file /etc/apache2/mods-enabled/ssl.conf. They again get overwritten by individual settings in vhost file. So if a line in vhost is commented out, the option in ssl.conf chosen. If it is commented out there, the default is used.
In your apache config (in debian: /etc/apache2/apache.conf) is the order of the files. From top to bottom, while later ones overwrite previous options. Usually its like:
1) IncludeOptional mods-enabled/*.load
2) IncludeOptional mods-enabled/*.conf
3) Include ports.conf
4) IncludeOptional conf-enabled/*.conf
5) IncludeOptional sites-enabled/
So, as you see the file in mods-enabled is included before the vhost file in sites-enabled. If you include additional files somewhere (for example the manual letsencrypt file), then they will overwrite it

 

You have a typo in:

Code:

SSLProtocol -all +LSv1.2

You deactivate all protocols and add "LSv1.2" which is not a valid protocol. So, no useable protocol is found. That config is not from ispconfig, so you must have overwritten that somewhere.

In general, you should use

Code:

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1

that is more future proof. It supports TLSv1.2 and TLSv1.3 and all protocols that will be added in the future. Your current setting needs adjustment is a new protocol comes out and additionally only supports TLS1.2 which is slower als less secure than TLS1.3

 

Thank you very much for all these pressures it allowed me clearly to understand the order of loading of the apache files.
I have two things that intrigue me when testing on the Qualys SSL Labs site:
Overall Rating = B & Protocol Support = TLS 1.3 in "Protocol or cipher suite mismatch" error
I have other sites hosted on other servers where the test gives with only TLS1.2 activated:
Overall Rating = A + & no protocol mismatch or cipher suite error.
Example : foad.ac-amiens.fr
I can't understand where this slowness comes from in HTTPS mode

 

In the configuration of Haproxy version 1.5.8-3 + I have nothing in "global settings here" regarding SSL.
If the last file read by apache and the vhosts, why can I not activate TLS 1.3 during my tests?

 

Hello !
Thank you for your help ! After upgade of Ispconfig I made a: Go to tools -> resync services and resync your websites.
Dans mon vhost:
In the vhost in question:

Code:

  <IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol  all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Qualys, SSL Labs result for madeleine.michelis-amiens.lyc.ac-amiens.fr.
Overall Rating = B
Activated protocols: TLS 1.3 TLS 1.2 TLS 1.1 and TLS 1.0
However, the TLS 1.0 and TLS 1.0 protocols are disabled in the vhost.
and always the Cipher Suites errors: "Protocol or cipher suite mismatch"

No I have never customized / usr / local / ispconfig / server / conf-custom
Attached is the apache2.con file

 

Does your HAProxy do the SSL termination? Then you have to change your HAProxy settings https://www.haproxy.com/blog/haproxy-ssl-termination/
It might be enough to update your HAProxy.

This version is from 2016. TLS1.3 was defined in 2018. See here for instructions how to install newest version: https://haproxy.debian.net/

From your server, test your local web:

Code:

openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2
openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1
openssl s_client -crlf -connect 192.168.236.50:443 -tls1_0

If tls1_1 and tls1_0 are working, then it is an apache problem. If only tls1_2 is working, then apache is good and your haproxy is the problem.

 

Attached is the apache2.con file
/usr/local/ispconfig/server/conf/vhost.conf.master

 

No my haproxy does not support SSL.
I am using SSL Pass-Through, which sends SSL connections for Ispconfig in transparent mode.
I have nothing in "global settings here" regarding SSL.
Indeed, the Haproxy 1.5 version does not support the TLS1.3 protocol.
I do not have high availability on the hosting platform. When updating the haproxy to a newer version I am afraid that I will run into outdated options.

Test performed using haproxy: return code: 20 (unable to get local issuer certificate)
for all three protocols.

Code:

openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2
openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1
openssl s_client -crlf -connect 192.168.236.50:443 -tls1
    Start Time: 1611503794
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

From another server for all three protocols (-tls1, -tls1_1, -tls1_2). the command returns me:

Code:

    Start Time: 1611504800
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

 

Attached is the config Haproxy

 

HAProxy Version 1.5 is unmaintained. This is a security problem: http://www.haproxy.org/

If your results differ, then HAProxy is messing with SSL. "unable to get local issuer certificate" sounds like a problem with your letsencrypt certificate
I am not using hapoxy, but your configuration does not look like any of the examples I found with google. SSL passthrough seems to be done with "mode tcp", where you have "mode http". Best to look in the documentation.
See also: https://community.ptc.com/t5/IoT-Tech-Tips/HAProxy-SSL-Passthrough-configuration/td-p/554395

 

Hello!
The let's encrypt certificates are valid attached capture.


F12 Development Tools> Security

Code:

Security overview
This page is secure (valid HTTPS).
Certificate - valid and trusted
The connection to this site is using a valid, trusted server certificate issued by R3.
View certificate
Connection - secure connection settings
The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM.
Resources - all served securely
All resources on this page are served securely.

I confirm that we are in SSL-Passthrough mode TCP below extract from the configuration:

Code:

### TLS 1.3 HAProxy avec SSL Pass-Through ###

frontend panel3-https-Pass-Through

        # on demade à HaProxy de récupérer toutes les requêtes http (80) et https (443)
        ###bind 194.254.103.168:80

        # pour les requêtes https, on fourni le ou les certificats
        bind 194.254.103.168:443  ### ssl crt /etc/haproxy/ssl/mon_certificat_ssl.pem crt /etc/haproxy/ssl/mon_certificat_ssl_2.pem

        mode tcp
        option tcplog


backend panel3-in_https-Pass-Through

        mode tcp

       server panel3_https.in 192.168.236.50:443 check-ssl verify none ## send-proxy = option forwardfor

When I got the error "unable to get local issuer certificate" this from my haproxy with the command:

Code:

openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2

From another server in the network this send back
Verify return code: 0 (ok)[/CODE]

 

Are you sure the check-ssl option is what you want?
https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.2-check-ssl

If I now connect to your site, then it needs 10 seconds (some timeout of haproxy?) and then the site loads relatively quick. If it is a timeout, you should find something in your logs.

For the openssl command from your haproxy, you might need to specify the servername, to get the right vhost .. (sorry, forgot about that)

Code:

openssl s_client -crlf -servername madeleine.michelis-amiens.lyc.ac-amiens.fr -connect 192.168.236.50:443 -tls1_2