Remove TLSv1.0 support to pass PCI compliance

Discussion in 'ISPConfig 3 Priority Support' started by tmpinsnty, Apr 17, 2018.

Tags:
  1. tmpinsnty

    tmpinsnty Member HowtoForge Supporter

    So I'm running a Jessie server that started out as a Perfect Wheezy LAMP. I'm using the latest stable version of ISPconfig. In order for me to pass PCI I need to stop supporting TLSv1.0. I've tried this: https://mozilla.github.io/server-side-tls/ssl-config-generator/ and added the config to the /etc/apache2/conf.d/ssl.conf file based on another thread. But I am still getting dinged with the TLSv1.0 support.
    Where else does it read these: upload_2018-4-17_13-28-51.png
    It is NOT in the configuration I just added but these values are present in the .vhost file. But that line is "#" out.
    Can you give me a heads up where else I might look to change this?

    Running Apache 2.4.10 and openssl 1.0.1t
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does not set cipher suites for port 443, as you already noticed, they are commented out. so the global apache cipher suite setup will get applied. ISPConfig sets it just for the vhost on port 8080, if you want to cahnge that, edit the ispconfig.vhost file. Ensure that you restart (not just reload) apache after you changed the cipher suite.

    You can find all occurrences of the string SSLCipherSuite in apache config files with:

    grep -r -n SSLCipherSuite /etc/apache2/
     
  3. tmpinsnty

    tmpinsnty Member HowtoForge Supporter

    Thanks till
     

Share This Page