SSLv1 & SSLv1.1 - remove or not

Discussion in 'ISPConfig 3 Priority Support' started by molahs, Sep 15, 2020.

  1. molahs

    molahs Member HowtoForge Supporter

    I had one of my the sites we host audited for security and was requested to disable SSLv1 and SSLv1.1.
    I noticed that ISPConfig template has an entry for them in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    The line is: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    Is it safe to remove this from the master file and replace with: ssl_protocols TLSv1.2 TLSv1.3;

    TIA
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That should be fine, unless some of your users have devices like older android phones or settop boxes that won't be able to connect to your server then anymore.
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Using Internet Search Engines with
    Code:
    disable SSLv1 and SSLv1.1. site:howtoforge.com
    finds answers on how to do it.
    And it is safe to disable those, but then some old clients can no longer connect.
     
  4. molahs

    molahs Member HowtoForge Supporter

    Thank you both for responding.
    I have changed the vhost file here /etc/nginx/sites-available
    upload_2020-9-15_10-3-1.png

    and also changed /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    upload_2020-9-15_9-58-59.png

    Did 'service nginx reload' and 'service nginx restart'
    However, https://www.ssllabs.com/ssltest/analyze.html?d=shieldbp.com still shows that TLS 1.0 and TLS 1.1 are enabled and TLS 1.3 is not.
    What am I missing?
     

    Attached Files:

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Check all other vhosts, if a single vhost still uses the old protocol, then the old protocol is available for all other vhosts as well.

    copy the file to /usr/local/ispconfig/server/conf-custom/ folder to ensure that your manual changes don't get overwritten by an update.
     
  6. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Isn't it better to run a resync?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Either that, or he can use tools like sed, depending on his Linux knowledge. But using Resync is definitely an option :)
     
  8. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    I would advice you to that then: Tools -> Resync, and then resync your websites after putting the nginx_vhost.conf.master in the conf-custom folder. This way, all vhosts are rebuild based on the new vhost.conf.master.
     
  9. molahs

    molahs Member HowtoForge Supporter

    This worked. Thanks!
     

Share This Page