Need to change SSL ciphers

Vipul.K · August 22, 2024, 11:51am

SYSTEM INFORMATION
OS type and version	Ubuntu 20.05
Virtualmin version	7.10

It has come to my attention that my SSL security could be better. I need to change my SSL ciphers to the latest recommendation. I was expecting to find them in /etc/apache2/sites-enabled/*.conf in a virtualhost but I didn’t. This is what I have

SSLEngine on
SSLCertificateFile /home/egcw/domains/domain.com/ssl.cert
SSLCertificateKeyFile /home/egcw/domains/domain.com/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCACertificateFile /home/egcw/domains/domain.com/ssl.ca

There is no mention of SSL ciphers. I also checked many other .conf files in apache2/ but didn’t find it.

I could add my ciphers here but I would like to update them for all the domains and if there is a common place where they virtualmin puts them, I’d like to know about it. I have dozens of domains on the server and manually editing each virtualhost will take hours.

stefan1959 · August 22, 2024, 12:07pm

I ran a test at https://www.ssllabs.com/on my website and looks fine

Why are you worried?

Steini · August 22, 2024, 12:18pm

@stefan1959, don’t get me wrong, but in which way your response helps here?

I’m not aware of a common spot for the config that then applies to all domains - but stand corrected if there is.

If it’s only a handful of domains, just add SSLCipherSuite HIGH:!aNULL underneath the SSL lines and you should be ready to go. Don’t forget to restart your web server.

stefan1959 · August 22, 2024, 12:26pm

Trying to find what the issue is, report show cipers is fine, I can’t see the issue.
It wasn’t ment to help.
I’ll leave it to you from now on.

shoulders · August 22, 2024, 12:31pm

Rating is on A, not A+ and this drop looks like it is the cipher strength and therefore key exchange as well.

Is the cipher strength determined in the default apache.conf but can be overridden on local domains?

I would be interested to know as mine is only showing A

Steini · August 22, 2024, 12:43pm

All my websites are sporting A+ ratings but never show all bars to hit 100%. However, I still can’t figure how this should help with the original request…

Many, many moons ago, I put mine there but it had no effect on the websites. After I stored it in the respective conf file, it showed effect. Hence, I reckon there’s no central conf file that would serve as a master template for website configs.

shoulders · August 22, 2024, 12:44pm

the cipher order can change you from an A to an A+

Vipul.K · August 22, 2024, 12:47pm

@stefan1959 Each domain has its own ratings. My domains are on B rating. This server was setup 4 years ago and I’m guessing the ciphers are the best recommendation of that time and never updated.

I’d like to know how virtualmin is setup for this? Because normally SSLCipher is not skipped in apache configs. The fact the virtualmin is not putting them in servers it creates, there must be a reason for that. Of course there are defaults loading from somewhere. Where though? Calling virtualmin staff!

Steini · August 22, 2024, 12:58pm

This is a configuration that I use for all of my websites (all A+ rated on SSLLabs). Have a look and see where discrepancies resp. room for improvement are:

<VirtualHost xx.xx.xx.xx:80 [xxxx:xxxx:xxxx:xxxx]:80>
    ServerName EXAMPLE.COM
    ServerAlias www.EXAMPLE.COM
    ServerAlias mail.EXAMPLE.COM
    ServerAlias webmail.EXAMPLE.COM
    ServerAlias admin.EXAMPLE.COM
    ServerAlias autoconfig.EXAMPLE.COM
    ServerAlias autodiscover.EXAMPLE.COM
    DocumentRoot /home/EXAMPLEUSER/public_html
    ErrorLog /var/log/virtualmin/EXAMPLE.COM_error_log
    CustomLog /var/log/virtualmin/EXAMPLE.COM_access_log combined
    DirectoryIndex index.php index.htm index.html
    <Directory /home/EXAMPLEUSER/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/EXAMPLEUSER/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.EXAMPLE.COM
    RewriteRule ^(?!/.well-known)(.*) https://EXAMPLE.COM:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.EXAMPLE.COM
    RewriteRule ^(?!/.well-known)(.*) https://EXAMPLE.COM:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php8.3
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php/1713175053387411.sock|fcgi://127.0.0.1
    </FilesMatch>
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
</VirtualHost>
<VirtualHost xx.xx.xx.xx:443 [xxxx:xxxx:xxxx:xxxx]:443>
    ServerName EXAMPLE.COM
    ServerAlias www.EXAMPLE.COM
    ServerAlias mail.EXAMPLE.COM
    ServerAlias webmail.EXAMPLE.COM
    ServerAlias admin.EXAMPLE.COM
    ServerAlias autoconfig.EXAMPLE.COM
    ServerAlias autodiscover.EXAMPLE.COM
    DocumentRoot /home/EXAMPLEUSER/public_html
    ErrorLog /var/log/virtualmin/EXAMPLE.COM_error_log
    CustomLog /var/log/virtualmin/EXAMPLE.COM_access_log combined
    DirectoryIndex index.php index.htm index.html
    <Directory /home/EXAMPLEUSER/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/EXAMPLEUSER/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.EXAMPLE.COM
    RewriteRule ^(?!/.well-known)(.*) https://EXAMPLE.COM:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.EXAMPLE.COM
    RewriteRule ^(?!/.well-known)(.*) https://EXAMPLE.COM:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php8.3
    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php/1713175053387411.sock|fcgi://127.0.0.1
    </FilesMatch>
    Protocols h2 h2c
    SSLEngine on
    SSLCertificateFile /home/EXAMPLEUSER/ssl.cert
    SSLCertificateKeyFile /home/EXAMPLEUSER/ssl.key
    SSLCACertificateFile /home/EXAMPLEUSER/ssl.ca
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/EXAMPLEUSER/cgi-bin/autoconfig.cgi
</VirtualHost>

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL
SSLHonorCipherOrder on
SSLSessionTickets off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

shoulders · August 22, 2024, 12:58pm

→

SSLProtocol -all +TLSv1.2 +TLSv1.3`
SSLCipherSuite HIGH:!aNULL

maybe

stefan1959 · August 22, 2024, 1:00pm

If they on Virtualmin and using letsencrpty and that should setup the same setting on each site, why would the ratings be different?

I just testing 4 sites to confirm and exactly same result. All rating A and all showing same as the screenshot.

shoulders · August 22, 2024, 1:02pm

This is my cipher suite of my dev server global apache.conf , doesn’t look ideal.

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

These 2 should be configurable options in the GUI, but I ca’t find them. I know in virtualmin you can add or remove SSL TLS, but this is not global.

Vipul.K · August 22, 2024, 1:30pm

I found the common file. Its /etc/apache2/mods-available/ssl.conf. Found it using grep command.

This what I had in the file

SSLCipherSuite HIGH:!aNULL
SSLProtocol all -SSLv3

And I had a B grade with this. I replaced these with

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Now I have A grade on all the domain.

shoulders · August 22, 2024, 4:11pm

This is a very important options and should be configured through the GUI.

I also think the virtualmin installer should set

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL

Or the best version of this. I do not know what !aNULL means

Steini · August 22, 2024, 4:12pm

Vipul.K:

SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

This is the same as what I wrote initially. Glad it works for you… Now the challenge is to get that plus behind the A…

SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!aNULL

Vipul.K · August 23, 2024, 8:31am

Meh. Good enough haha

system · August 31, 2024, 8:31am

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.