SSLProtocol

Discussion in 'Installation/Configuration' started by mbensoussan, Oct 21, 2019.

  1. mbensoussan

    mbensoussan New Member

    hi !
    My server : Ubuntu 18.04
    ispconfig : 3.1.15p2

    i try to disactivate some old SSL protocol
    so i edit this file : etc/apache2/mods-available/ssl.conf
    with this :
    Code:
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    
    Result of this command :
    Code:
     grep -R "SSLProtocol" /etc/ 
    result :
    Code:
    /etc/apache2/sites-enabled/100-ns31573xx.ip-xx-xx-xxx.eu.vhost:         SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-enabled/100-MYDOMAIN.com.vhost:          SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-enabled/000-ispconfig.vhost:    SSLProtocol All -SSLv3
    /etc/apache2/sites-available/ispconfig.vhost:    SSLProtocol All -SSLv3
    /etc/apache2/sites-available/MYDOMAIN.com.vhost:            SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-available/ns31xxxxx.ip-xx-xx-xxx.eu.vhost:           SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/mods-enabled/ssl.conf:     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    /etc/apache2/mods-available/ssl.conf:   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    
    Bug :
    - TLSv1 work with MYDOMAIN
    ==> All sites-available are generated by ISPCONFIG. so i will not edit the file directly, but where i have to change the SSLProtocol ?
    - Found a good value for SSLCipherSuite
    ==> i see a lot of differente value ... but i don't really understand.


    Thank's for you help
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I trust you restarted apache after altering the config files?
    Have you tested with some ssl checker (Use Internet Search engines with term ssl checker) what protocol apache supports?
     
  3. mbensoussan

    mbensoussan New Member

    yes sure, i have restarted apache.

    i test ssl with : https://globalsign.ssllabs.com

    But as you can see the SSLProtocol parameter is different with all site-availables and i think if i edit a file in site-availables, ispconfig will generate it again after update.
     
  4. nhybgtvfr

    nhybgtvfr Active Member

    copy /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master
    and make the required protocol changes in that file. you'll find the SSLProtocol line in two place, one just after
    Code:
    <tmpl_if name='ssl_enabled'>
    <tmpl_if name='enable_http2' op='==' value='y'>
    and another one just a bit further done, just after
    Code:
                    <IfModule mod_ssl.c>
    <tmpl_if name='ssl_enabled'>
    if you create a new site, or resync the sites on this server, it'll recreate the vhost conf file including the changes made in this file.
     
  5. mbensoussan

    mbensoussan New Member

    it's work ! thanks you.

    last question : what is the best parameter for SSLCipherSuite ???
     
  6. Steini86

    Steini86 Active Member

    There is no "best" parameter. It depends on the users you want to serve ;)
    Use this as a guide: https://ssl-config.mozilla.org/

    If you don't care about users with old browsers, then it is very easy:
    Code:
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    
    TLS1.3 only supports "good" ciphers, therefore no need to specify them. If you need TLS1.2 (you probably want this), then this is (currently) recommended:
    Code:
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    
    Since all the ciphers are considered as safe, it is now recommended to use "SSLHonorCipherOrder off" to let the client choose the cipher. (explanation: https://mastodon.at/@infosechandbook/102393205262657245)


    I deleted the SSLProtocol and SSLCipherSuite option from my vhost.conf.master and only use the server-wide option in ssl.conf. Personally, I would consider it a bug, that this essential value is overwritten by ispconfig (would only make sense, if you could set this option individually).
     
    ahrasis, till and Taleman like this.
  7. mbensoussan

    mbensoussan New Member

    thank you again, all your answer is perfect ;)
     
    Steini86 likes this.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It was global for many years but this resulted in many complaints from users that the ispconfig vhost config does not set a cipher suite. Personally, I don't like the current setup as well and don't use it on my systems, its commented out. So it's not a bug, its a setting requested by many users which makes not much sense and which should be removed when you use a custom config.
     
    Steini86 likes this.
  9. nhybgtvfr

    nhybgtvfr Active Member

    could it not be an option in the gui? either on the ssl tab, or the domain tab hidden but appears when either the ssl or letsencrypt checkbox are selected.
    with the cipher set selected as enabled by default, with the default ciphers in a text field, so it can be edited or disabled as desired.
    (maybe with a warning that people *should* know what they're doing before they change anything in that text field)
    should probably also have a reset to default button as well, so the standard cipher set can be re-applied when some idiot inevitably messes it up.
    makes it effectively global by default, still allows overriding, and doesn't involve editing conf files. (and makes more work for the developers.... sorry Till. ;) )
     

Share This Page