You currently have TLSv1 enabled. This version of TLS is being phased out.

Hi,

I'm using this VMware image https://www.howtoforge.com/tutorial...n-8-jessie-apache-bind-dovecot-ispconfig-3/3/ and updated to the latest Debian OS v8.9
When I created new Wordpress site with default theme when I go to https://www.whynopadlock.com/
I'm getting this warning https://prnt.sc/hxe4bz and chrome shows it still as not secure. How can I future proof my server?

Thanks!

 

I know very little about this, but read this good explanation: https://gist.github.com/SamuelChristie/13a2a29e74c189bcfd9b
By the way, are you using Debian Jessie or Stretch, since you wrote updating to the latest Debian OS .

 

Thanks for the replies guys!
I'm using Debian Jessie v8.9 and ISPconfig Let's Encrypt

Chrome does not show red padlock but simply says the site is not fully secure but it does not give reason for it?

 

Thank you! I missed that part and I was able to narrow it down to my plugin for Shoutcast player that is obviously streaming unsecured stream. I've entered URL of one other random internet stream that is secured and I was getting green padlock!

The website whynopadlock.com still shows warning about TLSv1 enabled and being phased out, how can I fix that?

 

Disable TLSV1. Read the link I posted. In the end The Mozilla SSL Configuration Generator.

 

So I don't want to modify something that will break ISPconfig or Apache. Can this be done thru ISPconfig somehow?

Code:

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)

 

Just to make sure I'm editing correct "apache ssl config file".
I found # SSL Configuration under /etc/apache2/sites-available/ispconfig.vhost and this is how it looks:

Code:

######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost

  <Directory /var/www/ispconfig/>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>
  <Directory /usr/local/ispconfig/interface/web/>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      <FilesMatch "\.php$">
        SetHandler fcgid-script
      </FilesMatch>
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
            Require all granted
          </Directory>
    IPCCommTimeout  7200
    MaxRequestLen 15728640
  </IfModule>

  <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
      Options +FollowSymLinks
      AllowOverride None
            Require all granted
            php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
  SSLEngine On
    SSLProtocol All -SSLv3
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

  SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
  SSLHonorCipherOrder On
   
  <IfModule mod_headers.c>
    Header always add Strict-Transport-Security "max-age=15768000"
    RequestHeader unset Proxy early
  </IfModule>

    SSLUseStapling On
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors Off
  </VirtualHost>

<IfModule mod_ssl.c>
  SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

<Directory /var/www/php-cgi-scripts>
  AllowOverride None
    Require all denied
  </Directory>

<Directory /var/www/php-fcgi-scripts>
  AllowOverride None
    Require all denied
  </Directory>

Do I replace lines that do not match with the ones you posted?
So far lines that I need to change are:
SSLProtocol All
SSLCipherSuite
SSLCompression off (add this line)
SSLSessionTickets off (add this line)

 

I'm glad that I asked!
So I commented out lines that were already in there and copied lines just before </IfModule> but apache is unable to start

This is original file:

Code:

<IfModule mod_ssl.c>

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be used).
    #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    #   (Disabled by default, the global Mutex directive consolidates by default
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate. See the
    #   ciphers(1) man page from the openssl package for list of all available
    #   options.
    #   Enable only secure ciphers:
    SSLCipherSuite HIGH:!aNULL

    # SSL server cipher order preference:
    # Use server priorities for cipher algorithm choice.
    # Clients may prefer lower grade encryption.  You should enable this
    # option if you want to enforce stronger encryption, and can afford
    # the CPU cost, and did not override SSLCipherSuite in a way that puts
    # insecure ciphers first.
    # Default: Off
    #SSLHonorCipherOrder on

    #   The protocols to enable.
    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    #   SSL v2  is no longer supported
    SSLProtocol all -SSLv3

    #   Allow insecure renegotiation with clients which do not yet support the
    #   secure renegotiation protocol. Default: Off
    #SSLInsecureRenegotiation on

    #   Whether to forbid non-SNI clients to access name based virtual hosts.
    #   Default: Off
    #SSLStrictSNIVHostCheck On

</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And this is modified version that does gives below error starting with this line SSLSessionTickets off

Code:

<IfModule mod_ssl.c>

    # Pseudo Random Number Generator (PRNG):
    # Configure one or more sources to seed the PRNG of the SSL library.
    # The seed data should be of good random quality.
    # WARNING! On some platforms /dev/random blocks if not enough entropy
    # is available. This means you then cannot use the /dev/random device
    # because it would lead to very long connection times (as long as
    # it requires to make more entropy available). But usually those
    # platforms additionally provide a /dev/urandom device which doesn't
    # block. So, if available, use this one instead. Read the mod_ssl User
    # Manual for more details.
    #
    SSLRandomSeed startup builtin
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect builtin
    SSLRandomSeed connect file:/dev/urandom 512

    ##
    ##  SSL Global Context
    ##
    ##  All SSL configuration in this context applies both to
    ##  the main server and all SSL-enabled virtual hosts.
    ##

    #
    #   Some MIME-types for downloading Certificates and CRLs
    #
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    #   Pass Phrase Dialog:
    #   Configure the pass phrase gathering process.
    #   The filtering dialog program (`builtin' is a internal
    #   terminal dialog) has to provide the pass phrase on stdout.
    SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

    #   Inter-Process Session Cache:
    #   Configure the SSL Session Cache: First the mechanism
    #   to use and second the expiring timeout (in seconds).
    #   (The mechanism dbm has known memory leaks and should not be used).
    #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
    SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
    SSLSessionCacheTimeout  300

    #   Semaphore:
    #   Configure the path to the mutual exclusion semaphore the
    #   SSL engine uses internally for inter-process synchronization.
    #   (Disabled by default, the global Mutex directive consolidates by default
    #   this)
    #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache


    #   SSL Cipher Suite:
    #   List the ciphers that the client is permitted to negotiate. See the
    #   ciphers(1) man page from the openssl package for list of all available
    #   options.
    #   Enable only secure ciphers:
    #SSLCipherSuite HIGH:!aNULL

    # SSL server cipher order preference:
    # Use server priorities for cipher algorithm choice.
    # Clients may prefer lower grade encryption.  You should enable this
    # option if you want to enforce stronger encryption, and can afford
    # the CPU cost, and did not override SSLCipherSuite in a way that puts
    # insecure ciphers first.
    # Default: Off
    #SSLHonorCipherOrder on

    #   The protocols to enable.
    #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
    #   SSL v2  is no longer supported
    #SSLProtocol all -SSLv3

    #   Allow insecure renegotiation with clients which do not yet support the
    #   secure renegotiation protocol. Default: Off
    #SSLInsecureRenegotiation on

    #   Whether to forbid non-SNI clients to access name based virtual hosts.
    #   Default: Off
    #SSLStrictSNIVHostCheck On

    # modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
 
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Code:

root@debian:~# /etc/init.d/apache2 restart
[....] Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed. See 'systemctl status apache2.service' and 'journalc                          tl -xn' for details.
failed!
root@debian:~# systemctl status apache2.service
● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─forking.conf
   Active: failed (Result: exit-code) since Wed 2018-01-10 14:12:16 PST; 2s ago
  Process: 7743 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 8756 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
  Process: 7990 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Starting web server: apache2 failed!
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: The apache2 configtest failed. ... (warning).
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Output of config test was:
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: AH00526: Syntax error on line 88 of /etc/apache2/mods-enabled/ssl.conf:
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not ...uration
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Action 'configtest' failed.
Jan 10 14:12:16 debian.mydomain.us apache2[7990]: The Apache error log may have more information.
Jan 10 14:12:16 debian.mydomain.us systemd[1]: apache2.service: control process exited, code=exited status=1
Jan 10 14:12:16 debian.mydomain.us systemd[1]: Failed to start LSB: Apache2 web server.
Jan 10 14:12:16 debian.mydomain.us systemd[1]: Unit apache2.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
root@debian:~#

What am I doing wrong?

 

Syntax error on line 88 of /etc/apache2/mods-enabled/ssl.conf:

 

I was able to to get it to work and will post tomorrow my solution and at which step I made a mistake.

 

Here's my solution in case others run into same issue.

Reason for line 88 error is because of this line SSLSessionTickets off. When I copied config file from https://mozilla.github.io/server-side-tls/ssl-config-generator/ I did not select correct version of apache and openssl https://prnt.sc/hz3ww1 and that's why it was included in that config. You have to manually start typing in those boxes. You can find correct vestions by running apachectl -V and apt-cache policy openssl.
After that apache restarted without any errors why no padlock site no longer shows that warning.

Thanks guys!