Can't access https site

Discussion in 'Installation/Configuration' started by Cracklefish, Aug 26, 2018.

  1. Cracklefish

    Cracklefish Member

    Perfect server Debian Jessie build, v 8.10 ispc3 v3.1.13
    I am in the process of installing SSL on all the sites on this machine but I have come unstuck with the 1st.
    This accessible via http. ispC and phpMyAdmin and the mail system are using SSL ok. I have modified ssl.conf to disable SSLv2, TLS1 & TLS1.2 using the suggestions from Till's post. However Apache failed to restart because of the "SSLSessionTickets off" line. I disabled this and Apache restarted.
    I removed SSL and saved the site config in ispConfig then re-enabled and saved it again but still couldn't access the site with https.
    I checked the contents of "sites-available" and noticed that SSLv2, SSLv3, TLSv1 & TLSv1.2 were disabled!
    I edited the line to read "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" but still no luck.
    The <IfModule mod_ssl.c>code from ssl.conf and sites available is below.
    I did not understand the comments in ~/posts/369744 so maybe disabling "SSLSessionTickets off" was a bad idea!
    apachectl -V produced the following
    Code:
    apachectl -V
    AH00526: Syntax error on line 89 of /etc/apache2/mods-enabled/ssl.conf:
    Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not included in the server configuration
    Action '-V' failed.
    The Apache error log may have more information.
    [email protected]:/home/itman# apt-cache policy openssl
    openssl:
      Installed: 1.0.1t-1+deb8u8
      Candidate: 1.0.1t-1+deb8u9
      Version table:
         1.0.2l-1~bpo8+1 0
            100 http://ftp.uk.debian.org/debian/ jessie-backports/main i386 Packages
         1.0.1t-1+deb8u9 0
            500 http://security.debian.org/ jessie/updates/main i386 Packages
     *** 1.0.1t-1+deb8u8 0
            500 http://ftp.uk.debian.org/debian/ jessie/main i386 Packages
            100 /var/lib/dpkg/status
    From ssl.conf:
    Code:
    <IfModule mod_ssl.c>
    
        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
    
        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##
    
        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl
    
        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
    
        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300
    
        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
    
    
        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        #SSLCipherSuite HIGH:!aNULL
    
    
        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        #SSLHonorCipherOrder on
    
        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        #SSLProtocol all -SSLv3
    
        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on
    
        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On
    
        # modern configuration, tweak to your needs
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
        SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
        SSLHonorCipherOrder on
        SSLCompression off
        #SSLSessionTickets off
    
        # OCSP Stapling, only in httpd 2.3.3 and later
        SSLUseStapling on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
        SSLStaplingCache shmcb:/var/run/ocsp(128000)
    
    </IfModule>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    From sites-available:
    Code:
            <IfModule mod_ssl.c>
            SSLEngine on
            SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.2
            # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder     on
            # <IfModule mod_headers.c>
            # Header always add Strict-Transport-Security "max-age=15768000"
            # </IfModule>
            SSLCertificateFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.crt
            SSLCertificateKeyFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.key
                    SSLCertificateChainFile /var/www/clients/client1/web9/ssl/dev.greenway.co.uk-le.bundle
                            SSLUseStapling on
            SSLStaplingResponderTimeout 5
            SSLStaplingReturnResponderErrors off
                    </IfModule>
    
     

Share This Page