Disable TLS 1.0 not working

Discussion in 'Server Operation' started by darkness_08, Oct 7, 2018.

  1. darkness_08

    darkness_08 New Member

    Hey,
    Currently I'm trying to disable TLS1.0 on my Apache 2.4.
    I added the following line in ISPConfig:

    Code:
    SSLProtocol -all +TLSv1.2
    But ssllabs still says:
    How can I set SSLProtocol. I've tried ssl.conf to set it global but it didn't work either.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I doubt that setting SSLProtocol for a single vhost can work. I guess you will have to set it global plus ensure that no other vhost on that server uses a different setting for SSLProtocol.
     
  3. darkness_08

    darkness_08 New Member

    Thx Till,
    I found this:
    https://serverfault.com/questions/6...col-in-apache-for-a-single-virtualhost-poodle
    So, maybe it will work later.
    Btw. Where can I change the ISPConfig Default apache.vhost. Every single vhost contains:
    Code:
    SSLProtocol All -SSLv2 -SSLv3
    Should I change the vhost.conf.master or is there another way?
     
  4. ahrasis

    ahrasis Well-Known Member

    Mostly in /usr/local/ispconfig/server/conf/; so copy the one that you need to /usr/local/ispconfig/server/conf-custom/ and modify there, as the one in /conf/ will be overwritten on ISPConfig update. Use resync to update all vhost automatically thereafter.
     
  5. Tuumke

    Tuumke Active Member

    Sorry to hijack this, but im busy with harderning my server.

    Code:
    cp /usr/local/ispconfig/server/conf/vhost.conf.master /usr/local/ispconfig/server/conf-custom/vhost.conf.master
    
    Changed the SSLProtocol options
    Then did a resync, but my /etc/apache2/sites-enabled/clientid-domain.tld.vhost wasnt modified..
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Run Tools > Resync in ISPConfig to update existing sites.
     
  7. ahrasis

    ahrasis Well-Known Member

    Check if there is any error(s).
     
  8. Tuumke

    Tuumke Active Member

    I did, didnt change nothing as far as
    Guess i overlooked the double SSLProtocols in the vhost. Doh...
    I now edited the mod_headers section to be:
    Code:
                     Header always add Strict-Transport-Security "max-age=15768000"
                     Header always append X-Frame-Options SAMEORIGIN
                     Header set X-XSS-Protection "1; mode=block"
    
    Resynced and it worked.
     
    till and ahrasis like this.

Share This Page