custom vhost mod_ssl entries like SSLCipherSuite and SSLProtocol

Discussion in 'Server Operation' started by sygram, Jan 4, 2017.

  1. sygram

    sygram Member

    Hi there,

    i would kindly ask you to point out how to add custom vhost mod_ssl entries like SSLCipherSuite and SSLProtocol. If i use the "Apache Directives" option and add something like :

    <IfModule mod_ssl.c>
    SSLEngine on
    SSLCertificateFile /var/www/clients/client0/web35/ssl/www.domain.com.crt
    SSLCertificateKeyFile /var/www/clients/client0/web35/ssl/www.domain.com.key
    SSLCACertificateFile /var/www/clients/client0/web35/ssl/www.domain.com.bundle
    SSLProtocol all -SSLv3
    SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder on
    SSLCompression off

    </IfModule>

    the entries cause and error so an ...vhost.err error file is created and the entries get ignored. The entries also appear in non ssl Vhost area. I am not sure if directive <IfModule mod_ssl.c> in that place causes the error or the double appearance.

    I would appreciate your reply in order not to change the vhost file every time upon ispconfig's update. Thank you very much.

    Kind Regards
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Why don't you set the cipher suite globally in the apache config?
     
  3. sygram

    sygram Member

    Thank you for your reply.

    I thinkg ispconfig overrides these settings per vhost when you issue a certificate. I think i had already got :

    <IfModule mod_ssl.c>
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    </IfModule>

    So regardless the global settings this vhost will have it's own settings. Also some clients might want less strict settings like "modern" or "intermediate" ( https://wiki.mozilla.org/Security/Server_Side_TLS )

    Regards
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Current ispconfig versions do not set a cipher suite in the vhost, so you must either have a custom vhost master template where you set this or not a current ispconfig version.
     

Share This Page