ERR_SSL_PROTOCOL_ERROR - only TLSv1.2 enabled?

Some of my clients receive an ERR_SSL_PROTOCOL_ERROR when visiting a website which I host with virtualmin. I’m thinking this might be related due that fact, that only TLSv1.2 is enabled for this site. In the vhost apache config I got the following SSL directives:

SSLEngine on
SSLCertificateFile /home/xyz/ssl.cert
SSLCertificateKeyFile /home/xyz/ssl.key
SSLCACertificateFile /home/xyz/ssl.ca
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

With those settings only SSLv2 and SSLv3 should be disabled and all other protocols enabled. According to a SSL-Check at ssllabs.com though only TLSv1.2 is enabled. Does virtualmin overwrite my vhost settings anywhere?

Best regards, Nico

Hi,

Yes, it’s configurable in Templates:

However, SSLCipherSuite seems to be restrictive. You could completely comment it out (leave to use defaults) or try setting it to be something more loose:

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

Additionally, you could go to Webmin/Servers/Apache Webserver and use relatively new feature, to search through config files:

Thanks for your reply, Ilia. I adjusted the Server Templates in use to the following:

The vhost config file as well as the files /etc/apache2/apache2.conf and /etc/apache2/mods-available/ssl.conf contain now the following directives:

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

The test result of ssllabs.com but also cdn77.com/tls-test still says, that only TLSv1.2 is enabled. Are there any other places in virtualmin where adjustments are needed?

It depends on the configuration but speaking defaults, I would say no!

In case you’re talking about Apache webserver not Webmin webserver (miniserv) there are no other options read by Apache, aside from those that can be searchable in Webmin/Servers/Apache Webserver/Edit Config Files/Search in files (like shown above on the screenshot).

Changing templates related to newly created websites, and tweaking them will not affect existing websites.

I expect that you’d restarted Apache after editing its config files - otherwise it will still use old configs.


Although, I probably should, at first, direct you going an easier path, by simply checking Services/Configure SSL Website/SSL Options for currently active virtual server in Virtualmin tab.

Example:

Changing templates related to newly created websites, and tweaking them will not affect existing websites.

I understand that, but as I said, i manually adjusted the SSLProtocol Directive in the vhost configuration file to the same value as in the Server Template: SSLProtocol all -SSLv2 -SSLv3
Shouldn’t that be enough?

I expect that you’d restarted Apache after editing its config files - otherwise it will still use old configs.

Yes, I did that.

I would like to debug my vhost configuration. Is there some apache command to dump out all the Directives that are being applied to a specific vhost? There might be somewhere overlapping config values.

guys do you know actually google chrome, chromium - and firefox already does not /others will follow / will not support anything bellow tsl 1.0 :slight_smile:

https://www.globalsign.com/en/blog/disable-tls-10-and-all-ssl-versions/ - not only disabble but remove… ehrm!

guys do you know actually google chrome, chromium - and firefox already does not /others will follow / will not support anything bellow tsl 1.0 :slight_smile:

If I don’t enable TLSv1 and TLSv1.1, some users will receive the SSL Protocol Error instead of my actual website - how do I solve this problem? Could this error be related to something else than the protocol?