Deactivate TLS 1 / 1.1

  • Hello,


    what is the recommended way in i-MSCP to deactivate TLS 1.0 and 1.1. I don't want to break any of the auto-config stuff. Deactivating it for all webs would be acceptable.


    regards

    Darky

  • 1. Edit /etc/apache2/sites-enabled/00_nameserver.conf

    A. Substitute

    Code
    1. SSLProtocol all -SSLv2 -SSLv3

    with:

    Code
    1. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

    B. Substitute

    Code
    1. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    with:

    Code
    1. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256

    2. Restart apache2

    3. Test with ssllabs.com


    Your changes should be kept on reconfigurations also. If you need to reinstall or to run the installer again, you'll need to reapply these changes.


    Hope it helps,

    bye Kess.

  • can same cyphers be used in /etc/nginx/nginx.conf too? inx/nginx.conf


    ssl_protocols TLSv1.2;

    ssl_ciphers ....


    #### edit ###

    got it w/ A+ score!

    for buster I use:

    https://ssl-config.mozilla.org…nssl=1.1.1d&guideline=5.6


    Edited 2 times, last by fulltilt ().