Discussion in 'Installation/Configuration' started by mbensoussan, Oct 21, 2019.

  1. mbensoussan

    mbensoussan New Member

    hi !
    My server : Ubuntu 18.04
    ispconfig : 3.1.15p2

    i try to disactivate some old SSL protocol
    so i edit this file : etc/apache2/mods-available/ssl.conf
    with this :
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    Result of this command :
     grep -R "SSLProtocol" /etc/ 
    result :
    /etc/apache2/sites-enabled/         SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-enabled/          SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-enabled/000-ispconfig.vhost:    SSLProtocol All -SSLv3
    /etc/apache2/sites-available/ispconfig.vhost:    SSLProtocol All -SSLv3
    /etc/apache2/sites-available/            SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/sites-available/           SSLProtocol All -SSLv2 -SSLv3
    /etc/apache2/mods-enabled/ssl.conf:     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    /etc/apache2/mods-available/ssl.conf:   SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    Bug :
    - TLSv1 work with MYDOMAIN
    ==> All sites-available are generated by ISPCONFIG. so i will not edit the file directly, but where i have to change the SSLProtocol ?
    - Found a good value for SSLCipherSuite
    ==> i see a lot of differente value ... but i don't really understand.

    Thank's for you help
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I trust you restarted apache after altering the config files?
    Have you tested with some ssl checker (Use Internet Search engines with term ssl checker) what protocol apache supports?
  3. mbensoussan

    mbensoussan New Member

    yes sure, i have restarted apache.

    i test ssl with :

    But as you can see the SSLProtocol parameter is different with all site-availables and i think if i edit a file in site-availables, ispconfig will generate it again after update.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    copy /usr/local/ispconfig/server/conf/vhost.conf.master to /usr/local/ispconfig/server/conf-custom/vhost.conf.master
    and make the required protocol changes in that file. you'll find the SSLProtocol line in two place, one just after
    <tmpl_if name='ssl_enabled'>
    <tmpl_if name='enable_http2' op='==' value='y'>
    and another one just a bit further done, just after
                    <IfModule mod_ssl.c>
    <tmpl_if name='ssl_enabled'>
    if you create a new site, or resync the sites on this server, it'll recreate the vhost conf file including the changes made in this file.
    biforme likes this.
  5. mbensoussan

    mbensoussan New Member

    it's work ! thanks you.

    last question : what is the best parameter for SSLCipherSuite ???
  6. Steini86

    Steini86 Active Member

    There is no "best" parameter. It depends on the users you want to serve ;)
    Use this as a guide:

    If you don't care about users with old browsers, then it is very easy:
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    TLS1.3 only supports "good" ciphers, therefore no need to specify them. If you need TLS1.2 (you probably want this), then this is (currently) recommended:
    Since all the ciphers are considered as safe, it is now recommended to use "SSLHonorCipherOrder off" to let the client choose the cipher. (explanation:

    I deleted the SSLProtocol and SSLCipherSuite option from my vhost.conf.master and only use the server-wide option in ssl.conf. Personally, I would consider it a bug, that this essential value is overwritten by ispconfig (would only make sense, if you could set this option individually).
    ahrasis, till and Taleman like this.
  7. mbensoussan

    mbensoussan New Member

    thank you again, all your answer is perfect ;)
    Steini86 likes this.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    It was global for many years but this resulted in many complaints from users that the ispconfig vhost config does not set a cipher suite. Personally, I don't like the current setup as well and don't use it on my systems, its commented out. So it's not a bug, its a setting requested by many users which makes not much sense and which should be removed when you use a custom config.
    Steini86 likes this.
  9. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    could it not be an option in the gui? either on the ssl tab, or the domain tab hidden but appears when either the ssl or letsencrypt checkbox are selected.
    with the cipher set selected as enabled by default, with the default ciphers in a text field, so it can be edited or disabled as desired.
    (maybe with a warning that people *should* know what they're doing before they change anything in that text field)
    should probably also have a reset to default button as well, so the standard cipher set can be re-applied when some idiot inevitably messes it up.
    makes it effectively global by default, still allows overriding, and doesn't involve editing conf files. (and makes more work for the developers.... sorry Till. ;) )
  10. Just to make sure that I'm not doing anything wrong... I'm using nginx, not Apache, so the correct way to deal with this is to change the file
    with (line 11 in my case):
    ssl_protocols TLSv1.3 TLSv1.2;
    and then resync all websites on the master?
    ahrasis likes this.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Gwyneth Llewelyn likes this.
  12. Dogbreath

    Dogbreath New Member

    If you are struggling with this not working as expected after hours and hours of changing, applying, checking, etc, check what SSLProtocol is in:
    I found this was overriding every SSLProtocol setting, everywhere else.
    Gwyneth Llewelyn likes this.

Share This Page