You currently have TLSv1 enabled. This version of TLS is being phased out.

Discussion in 'ISPConfig 3 Priority Support' started by JohnnyBeGood, Jan 8, 2018.

  1. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

  2. Taleman

    Taleman Active Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    My Chrome browser does not show websites as insecure that use TLSv1. If you have a red padlock in the URL then you probably have a different issue. Did you bought an SSL cert or do you use Let's encrypt? And please click on the padlock on the URL bar of chrome to see why chrome does not show it as valid.
     
  4. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Thanks for the replies guys!
    I'm using Debian Jessie v8.9 and ISPconfig Let's Encrypt

    Chrome does not show red padlock but simply says the site is not fully secure but it does not give reason for it?

    chrome.jpg
     
    Last edited: Jan 8, 2018
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The error message explains the reason (image loading by http). Check your html code and CMS system settings, it seems that your website loads images or other content by http:// instead of https://
     
  6. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Thank you! I missed that part and I was able to narrow it down to my plugin for Shoutcast player that is obviously streaming unsecured stream. I've entered URL of one other random internet stream that is secured and I was getting green padlock!

    The website whynopadlock.com still shows warning about TLSv1 enabled and being phased out, how can I fix that?
     
  7. Taleman

    Taleman Active Member HowtoForge Supporter

    Disable TLSV1. Read the link I posted. In the end The Mozilla SSL Configuration Generator.
     
  8. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    So I don't want to modify something that will break ISPconfig or Apache. Can this be done thru ISPconfig somehow?
    Code:
    <VirtualHost *:443>
        ...
        SSLEngine on
        SSLCertificateFile      /path/to/signed_certificate_followed_by_intermediate_certs
        SSLCertificateKeyFile   /path/to/private/key
    
        # Uncomment the following directive when using client certificate authentication
        #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication
    
    
        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
        Header always set Strict-Transport-Security "max-age=15768000"
        ...
    </VirtualHost>
    
    # modern configuration, tweak to your needs
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLSessionTickets       off
    
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache        shmcb:/var/run/ocsp(128000)
    
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Set the SSL settings globally outside of ispconfig in the apache ssl config file of your setup. The required config is this:

    Code:
    # modern configuration, tweak to your needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
     
  10. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Just to make sure I'm editing correct "apache ssl config file".
    I found # SSL Configuration under /etc/apache2/sites-available/ispconfig.vhost and this is how it looks:

    Code:
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################
    
    Listen 8080
    NameVirtualHost *:8080
    
    <VirtualHost _default_:8080>
      ServerAdmin [email protected]
    
      <Directory /var/www/ispconfig/>
        <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
      <Directory /usr/local/ispconfig/interface/web/>
        <FilesMatch "\.ph(p3?|tml)$">
          SetHandler None
        </FilesMatch>
      </Directory>
    
      <IfModule mod_fcgid.c>
        DocumentRoot /var/www/ispconfig/
        SuexecUserGroup ispconfig ispconfig
        <Directory /var/www/ispconfig/>
          Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
          AllowOverride AuthConfig Indexes Limit Options FileInfo
          <FilesMatch "\.php$">
            SetHandler fcgid-script
          </FilesMatch>
          FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
                Require all granted
              </Directory>
        IPCCommTimeout  7200
        MaxRequestLen 15728640
      </IfModule>
    
      <IfModule mpm_itk_module>
        DocumentRoot /usr/local/ispconfig/interface/web/
        AssignUserId ispconfig ispconfig
        AddType application/x-httpd-php .php
        <Directory /usr/local/ispconfig/interface/web>
          # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
          Options +FollowSymLinks
          AllowOverride None
                Require all granted
                php_value magic_quotes_gpc        0
        </Directory>
      </IfModule>
    
      # ErrorLog /var/log/apache2/error.log
      # CustomLog /var/log/apache2/access.log combined
      ServerSignature Off
    
      <IfModule mod_security2.c>
        SecRuleEngine Off
      </IfModule>
    
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
      SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
      SSLHonorCipherOrder On
       
      <IfModule mod_headers.c>
        Header always add Strict-Transport-Security "max-age=15768000"
        RequestHeader unset Proxy early
      </IfModule>
    
        SSLUseStapling On
      SSLStaplingResponderTimeout 5
      SSLStaplingReturnResponderErrors Off
      </VirtualHost>
    
    <IfModule mod_ssl.c>
      SSLStaplingCache shmcb:/var/run/ocsp(128000)
    </IfModule>
    
    <Directory /var/www/php-cgi-scripts>
      AllowOverride None
        Require all denied
      </Directory>
    
    <Directory /var/www/php-fcgi-scripts>
      AllowOverride None
        Require all denied
      </Directory>
    
    Do I replace lines that do not match with the ones you posted?
    So far lines that I need to change are:
    SSLProtocol All
    SSLCipherSuite
    SSLCompression off (add this line)
    SSLSessionTickets off (add this line)
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the ISPConfig vhost file and not the global SSL config file. The global SSL config on current Deboan versions is in the file /etc/apache2/mods-available/ssl.conf and there you add / replace the SSL settings that I quoted
     
  12. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    I'm glad that I asked!
    So I commented out lines that were already in there and copied lines just before </IfModule> but apache is unable to start :(

    This is original file:
    Code:
    <IfModule mod_ssl.c>
    
        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
    
        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##
    
        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl
    
        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
    
        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300
    
        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
    
    
        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite HIGH:!aNULL
    
        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        #SSLHonorCipherOrder on
    
        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        SSLProtocol all -SSLv3
    
        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on
    
        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On
    
    </IfModule>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    And this is modified version that does gives below error starting with this line SSLSessionTickets off

    Code:
    <IfModule mod_ssl.c>
    
        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512
    
        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##
    
        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl    .crl
    
        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase
    
        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache         dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache        shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300
    
        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization.
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache
    
    
        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        #SSLCipherSuite HIGH:!aNULL
    
        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        #SSLHonorCipherOrder on
    
        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        #SSLProtocol all -SSLv3
    
        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on
    
        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off
        #SSLStrictSNIVHostCheck On
    
        # modern configuration, tweak to your needs
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    
    # OCSP Stapling, only in httpd 2.3.3 and later
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
     
    </IfModule>
    
    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
    
    Code:
    [email protected]:~# /etc/init.d/apache2 restart
    [....] Restarting apache2 (via systemctl): apache2.serviceJob for apache2.service failed. See 'systemctl status apache2.service' and 'journalc                          tl -xn' for details.
    failed!
    [email protected]:~# systemctl status apache2.service
    ● apache2.service - LSB: Apache2 web server
       Loaded: loaded (/etc/init.d/apache2)
      Drop-In: /lib/systemd/system/apache2.service.d
               └─forking.conf
       Active: failed (Result: exit-code) since Wed 2018-01-10 14:12:16 PST; 2s ago
      Process: 7743 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
      Process: 8756 ExecReload=/etc/init.d/apache2 reload (code=exited, status=0/SUCCESS)
      Process: 7990 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)
    
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Starting web server: apache2 failed!
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: The apache2 configtest failed. ... (warning).
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Output of config test was:
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: AH00526: Syntax error on line 88 of /etc/apache2/mods-enabled/ssl.conf:
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Invalid command 'SSLSessionTickets', perhaps misspelled or defined by a module not ...uration
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: Action 'configtest' failed.
    Jan 10 14:12:16 debian.mydomain.us apache2[7990]: The Apache error log may have more information.
    Jan 10 14:12:16 debian.mydomain.us systemd[1]: apache2.service: control process exited, code=exited status=1
    Jan 10 14:12:16 debian.mydomain.us systemd[1]: Failed to start LSB: Apache2 web server.
    Jan 10 14:12:16 debian.mydomain.us systemd[1]: Unit apache2.service entered failed state.
    Hint: Some lines were ellipsized, use -l to show in full.
    [email protected]:~#
    
    
    What am I doing wrong?
     
    Last edited: Jan 10, 2018
  13. Taleman

    Taleman Active Member HowtoForge Supporter

    Syntax error on line 88 of /etc/apache2/mods-enabled/ssl.conf:
     
  14. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    I was able to to get it to work and will post tomorrow my solution and at which step I made a mistake.
     
    Last edited: Jan 11, 2018
    till likes this.
  15. JohnnyBeGood

    JohnnyBeGood Member HowtoForge Supporter

    Here's my solution in case others run into same issue.

    Reason for line 88 error is because of this line SSLSessionTickets off. When I copied config file from https://mozilla.github.io/server-side-tls/ssl-config-generator/ I did not select correct version of apache and openssl https://prnt.sc/hz3ww1 and that's why it was included in that config. You have to manually start typing in those boxes. You can find correct vestions by running apachectl -V and apt-cache policy openssl.
    After that apache restarted without any errors why no padlock site no longer shows that warning.

    Thanks guys!
     

Share This Page