Slow browsing in HTTPS

Discussion in 'Installation/Configuration' started by cremos, Jan 21, 2021.

  1. cremos

    cremos Member

    Test of the certificate before the update we were A + and since the passage to version 3.2.2 we are in B

    SSL Server Test_ madeleine.michelis-amiens.lyc.ac-amiens.fr .png
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This seems quite pertinent to the slow/timeout issue?
     
  3. Steini86

    Steini86 Active Member

    Have you restarted Apache after the changes? Can you post again your vhost file after the change? Do you have a /usr/local/ispconfig/server/conf-custom/vhost.conf.master file? If yes, backup and remove that file. Then do resync of web again.
     
  4. cremos

    cremos Member

    I no longer modified the vhost file after the server upgrade to version 3.2.2. I don't understa
    nd why there is a hash in front of the line: #SSLCipherSuite and this in all vhosts with the SSLHonorCipherOrder option set to "on" then restarted the apache server.

    /usr/local/ispconfig/server/conf-custom/vhost.conf.master file?
    No, I don't have a custom file in /usr/local/ispconfig/server/conf-custom/vhost.conf.master but the one in /usr/local/ispconfig/server/conf/vhost.conf.master
     
    Last edited: Jan 23, 2021
  5. cremos

    cremos Member

    Attached vhost file in question.
     

    Attached Files:

  6. Steini86

    Steini86 Active Member

    Apache has default options for SSL if nothing is set. They get overwritten by options in file /etc/apache2/mods-enabled/ssl.conf. They again get overwritten by individual settings in vhost file. So if a line in vhost is commented out, the option in ssl.conf chosen. If it is commented out there, the default is used.
    In your apache config (in debian: /etc/apache2/apache.conf) is the order of the files. From top to bottom, while later ones overwrite previous options. Usually its like:
    1) IncludeOptional mods-enabled/*.load
    2) IncludeOptional mods-enabled/*.conf
    3) Include ports.conf
    4) IncludeOptional conf-enabled/*.conf
    5) IncludeOptional sites-enabled/
    So, as you see the file in mods-enabled is included before the vhost file in sites-enabled. If you include additional files somewhere (for example the manual letsencrypt file), then they will overwrite it
     
    ahrasis and Jesse Norell like this.
  7. Steini86

    Steini86 Active Member

    You have a typo in:
    Code:
    SSLProtocol -all +LSv1.2
    You deactivate all protocols and add "LSv1.2" which is not a valid protocol. So, no useable protocol is found. That config is not from ispconfig, so you must have overwritten that somewhere.

    In general, you should use
    Code:
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    that is more future proof. It supports TLSv1.2 and TLSv1.3 and all protocols that will be added in the future. Your current setting needs adjustment is a new protocol comes out and additionally only supports TLS1.2 which is slower als less secure than TLS1.3
     
    ahrasis and Jesse Norell like this.
  8. cremos

    cremos Member

    Thank you very much for all these pressures it allowed me clearly to understand the order of loading of the apache files.
    I have two things that intrigue me when testing on the Qualys SSL Labs site:
    Overall Rating = B & Protocol Support = TLS 1.3 in "Protocol or cipher suite mismatch" error
    I have other sites hosted on other servers where the test gives with only TLS1.2 activated:
    Overall Rating = A + & no protocol mismatch or cipher suite error.
    Example : foad.ac-amiens.fr
    I can't understand where this slowness comes from in HTTPS mode
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The slowness is caused by a misconfiguration to get the right TLS ciphers. That's why I'm wondering if the problem is a faulty HAProxy setup.
     
  10. cremos

    cremos Member

    In the configuration of Haproxy version 1.5.8-3 + I have nothing in "global settings here" regarding SSL.
    If the last file read by apache and the vhosts, why can I not activate TLS 1.3 during my tests?
     
    Last edited: Jan 23, 2021
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    In your vhost, you have "SSLProtocol -all +LSv1.2". This should be "SSLProtocol -all +TLSv1.2" or even better "SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1". Fix this, restart Apache, and see what happens. Maybe this is a typo in your vhost.conf.master, do you have a custom one in /usr/local/ispconfig/server/conf-custom?
    (I wrote the part below first, but then saw this)

    It's just a step of troubleshooting to test this. I don't think it takes a lot of time testing this, especially to fix such an issue. It might seem unnecesary, but it can be such a small stupid thing that's the problem.

    Can you share your apache config (/etc/apache2/apache2.conf)?
     
  12. cremos

    cremos Member

    Hello !
    Thank you for your help ! After upgade of Ispconfig I made a: Go to tools -> resync services and resync your websites.
    Dans mon vhost:
    In the vhost in question:
    Code:
      <IfModule mod_ssl.c>
                    SSLEngine on
                    SSLProtocol  all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    Qualys, SSL Labs result for madeleine.michelis-amiens.lyc.ac-amiens.fr.
    Overall Rating = B
    Activated protocols: TLS 1.3 TLS 1.2 TLS 1.1 and TLS 1.0
    However, the TLS 1.0 and TLS 1.0 protocols are disabled in the vhost.
    and always the Cipher Suites errors: "Protocol or cipher suite mismatch"

    No I have never customized / usr / local / ispconfig / server / conf-custom
    Attached is the apache2.con file
     

    Attached Files:

  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the content of /usr/local/ispconfig/server/conf/vhost.conf.master?
     
  14. Steini86

    Steini86 Active Member

    Does your HAProxy do the SSL termination? Then you have to change your HAProxy settings https://www.haproxy.com/blog/haproxy-ssl-termination/
    It might be enough to update your HAProxy.
    This version is from 2016. TLS1.3 was defined in 2018. See here for instructions how to install newest version: https://haproxy.debian.net/

    From your server, test your local web:
    Code:
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_0
    If tls1_1 and tls1_0 are working, then it is an apache problem. If only tls1_2 is working, then apache is good and your haproxy is the problem.
     
    Last edited: Jan 24, 2021
  15. cremos

    cremos Member

    Attached is the apache2.con file
    /usr/local/ispconfig/server/conf/vhost.conf.master
     

    Attached Files:

  16. cremos

    cremos Member

    No my haproxy does not support SSL.
    I am using SSL Pass-Through, which sends SSL connections for Ispconfig in transparent mode.
    I have nothing in "global settings here" regarding SSL.
    Indeed, the Haproxy 1.5 version does not support the TLS1.3 protocol.
    I do not have high availability on the hosting platform. When updating the haproxy to a newer version I am afraid that I will run into outdated options.

    Test performed using haproxy: return code: 20 (unable to get local issuer certificate)
    for all three protocols.
    Code:
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_1
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1
        Start Time: 1611503794
        Timeout   : 7200 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    From another server for all three protocols (-tls1, -tls1_1, -tls1_2). the command returns me:
    Code:
        Start Time: 1611504800
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: yes
    ---
    closed
     
    Last edited: Jan 24, 2021
  17. cremos

    cremos Member

    Attached is the config Haproxy
     

    Attached Files:

  18. Steini86

    Steini86 Active Member

    HAProxy Version 1.5 is unmaintained. This is a security problem: http://www.haproxy.org/
    If your results differ, then HAProxy is messing with SSL. "unable to get local issuer certificate" sounds like a problem with your letsencrypt certificate
    I am not using hapoxy, but your configuration does not look like any of the examples I found with google. SSL passthrough seems to be done with "mode tcp", where you have "mode http". Best to look in the documentation.
    See also: https://community.ptc.com/t5/IoT-Tech-Tips/HAProxy-SSL-Passthrough-configuration/td-p/554395
     
    ahrasis and Th0m like this.
  19. cremos

    cremos Member

    Hello!
    The let's encrypt certificates are valid attached capture.
    2021-01-25 15_20_16-Certificat.png

    F12 Development Tools> Security
    Code:
    Security overview
    This page is secure (valid HTTPS).
    Certificate - valid and trusted
    The connection to this site is using a valid, trusted server certificate issued by R3.
    View certificate
    Connection - secure connection settings
    The connection to this site is encrypted and authenticated using TLS 1.3, X25519, and AES_256_GCM.
    Resources - all served securely
    All resources on this page are served securely.
    I confirm that we are in SSL-Passthrough mode TCP below extract from the configuration:

    Code:
    ### TLS 1.3 HAProxy avec SSL Pass-Through ###
    
    frontend panel3-https-Pass-Through
    
            # on demade à HaProxy de récupérer toutes les requêtes http (80) et https (443)
            ###bind 194.254.103.168:80
    
            # pour les requêtes https, on fourni le ou les certificats
            bind 194.254.103.168:443  ### ssl crt /etc/haproxy/ssl/mon_certificat_ssl.pem crt /etc/haproxy/ssl/mon_certificat_ssl_2.pem
    
            mode tcp
            option tcplog
    
    
    backend panel3-in_https-Pass-Through
    
            mode tcp
    
           server panel3_https.in 192.168.236.50:443 check-ssl verify none ## send-proxy = option forwardfor

    When I got the error "unable to get local issuer certificate" this from my haproxy with the command:
    Code:
    openssl s_client -crlf -connect 192.168.236.50:443 -tls1_2
    
    From another server in the network this send back
    Verify return code: 0 (ok)[/CODE]
     
    Last edited: Jan 25, 2021
  20. Steini86

    Steini86 Active Member

    Are you sure the check-ssl option is what you want?
    https://cbonte.github.io/haproxy-dconv/1.5/configuration.html#5.2-check-ssl

    If I now connect to your site, then it needs 10 seconds (some timeout of haproxy?) and then the site loads relatively quick. If it is a timeout, you should find something in your logs.

    For the openssl command from your haproxy, you might need to specify the servername, to get the right vhost .. (sorry, forgot about that)
    Code:
    openssl s_client -crlf -servername madeleine.michelis-amiens.lyc.ac-amiens.fr -connect 192.168.236.50:443 -tls1_2
     

Share This Page