Disabling TLS 1.0 and 1.1?

Discussion in 'General' started by sjau, Jan 8, 2020.

  1. sjau

    sjau Local Meanie Moderator

    How do we disable tsl 1.0 and 1.1 for ISPC on Debian for all sites/vhosts?

    SSLLabs will start downgrading servers with tls 1.0 and 1.1:

    https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols

    "
    SSL Labs Grade Change
    To encourage users to migrate to protocol TLS 1.2+ and remove protocol TLS 1.1 and TLS 1.0 from servers, SSL Labs will lower the grade for SSL/TLS servers which use TLS 1.1 and TLS 1.0.

    TLS 1.0 Grade change date:

    • A warning will be displayed for downgrading to grade “B” by end of September 2019
    • Grade will be changed to “B” by end of January 2020
    TLS 1.1 Grade change date:

    • In Configuration->Protocols section “TLS 1.1” text color will be changed to Orange by end of November 2018
    • A warning will be displayed for downgrading to grade “B” by end of September 2019
    • Grade will be changed to “B” by end of January 2020
      "
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I used Internet Search Engines with
    Code:
    How do we disable tsl 1.0 and 1.1 for ISPC on Debian for all sites/vhosts?
     
  3. sjau

    sjau Local Meanie Moderator

    So, to what result do you come on how to achieve this with ISPConfig?
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. sjau

    sjau Local Meanie Moderator

    Thank you.

    So I use now
    Code:
    SSLProtocol TLSv1.2
    in the ISPC templates.

    Also I run
    Code:
    for f in *.*; do sed -i 's/SSLProtocol All -SSLv2 -SSLv3/SSLProtocol TLSv1.2/g' "${f}" ; done
    
    in /etc/apache2/sites-available/

    Now SSLLabs is happy again with A+
     
    ahrasis and Taleman like this.
  6. Steini86

    Steini86 Active Member

    Consider using
    Code:
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    which also enables TLS1.3 (if supported by your server) and newer protocols in the future. At least, you should enable TLS1.3 with:
    Code:
    SSLProtocol     +TLSv1.3 +TLSv1.2
    See https://ssl-config.mozilla.org/ for recommendations.
    I would suggest to remove these entries from the ispc templates. Then the value in the global file /etc/apache2/mods-enabled/ssl.conf is used. This makes it much easier to adjust the value in the future.
     
    ahrasis likes this.
  7. Tuumke

    Tuumke Active Member

    This is my vhost.conf.master in conf-custom which gives me A+ on ssllabs and 100% on https://en.internet.nl:

    http://paste.ubuntu.com/p/J4nVbkyVhz/

    When you use the vhost.conf.master you can edit it, then use resync tool to have changes commited to all vhosts.
    Using it in the vhosts allows you to change it per vhost? Maybe someone doesnt want to be so modern? :p
     
    ahrasis likes this.
  8. Steini86

    Steini86 Active Member

    That is what the OP successfully did. However, if you delete the settings from the from the vhost.conf.master file, the system wide setting is used which imho is easier to maintain. But you can do it as you like. The system wide setting is overwritten by the vhost.conf.master which is overwritten by the per host settings. In case of an unexpected result this is more difficult to debug (in my opinion).
    Be aware, that your config does not support TLS1.3 and you have to change that in the future, when ssllabs & co require TLS1.3. Would be good to support that anyway, as by now all modern clients support it.
     
  9. ahrasis

    ahrasis Well-Known Member

    Agreed. I'd prefer this aproach as well though currently I am still using the conf-custom. Haven't got time to visit my nginx servers for quite some times.
     
    Th0m likes this.
  10. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    i think, it makes more sence to define a minimal tls version per vhost intead of changing the template.
     
  11. Th0m

    Th0m Active Member HowtoForge Supporter

    Tuumke and ahrasis like this.
  12. Tuumke

    Tuumke Active Member

  13. Th0m

    Th0m Active Member HowtoForge Supporter

    It shows up in english for me (on dutch IP adress), but that could be a cookie setting.

    Anyways, this test really puts your web (and mailserver) to a test. After some tweaking I was able to get 100% on both tests.
     
    ahrasis likes this.
  14. Steini86

    Steini86 Active Member

    It's english for me, so I think it uses the browser settings as most pages.
    There are a lot of these tests out there and it is always important to understand what they are complaining and why. And to understand that these things change over time. This site for example recommends that the server enforces the cipher list. However, this is no longer best practice. Best practice today is to only use secure ciphers (was not the case in the past, as older clients did sometimes need old/unsafe ciphers) and let the client decide, which of the secure ciphers to use. For example, some mobile device have different capabilities to do encryption in hardware than desktop PCs and, therefore, would choose a different mechanism.
     
    ahrasis likes this.
  15. Tuumke

    Tuumke Active Member

  16. Th0m

    Th0m Active Member HowtoForge Supporter

    Tuumke likes this.
  17. Tuumke

    Tuumke Active Member

    I got that working now. Though, i can only add 'subdomains' and not my root domain. Which is a little bit strange..
     
  18. Th0m

    Th0m Active Member HowtoForge Supporter

    I only set this up for my mailserver, which has a subdomain, so I didn't do anything with the root domain.
     

Share This Page