(1) Google says: “Your connection is encrypted using an obsolete cipher suite”
Recent Google shying messages on the SSL Certificates: “Your connection is encrypted using an obsolete cipher suite” are annoying to those who purchased a new SSL Certificate, and get scared about the encryption being obsolete.
(2) Google says: “Your connection is encrypted using a modern cipher suite”
(2.1) Enable headers mod for Apache2
a2enmod headersservice apache2 restart
(2.2) Edit default-ssl and/or other SSL enabled sites:
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/signed_certificate
SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile /path/to/private/key
SSLCACertificateFile /path/to/all_ca_certs
intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security “max-age=15768000”
(3) Virtualmin
Virtualmin over port 10000 or 20000 shows the SSL Certificate information, saying the encryption is obsolete, which obviously means it doesn’t use Apache2’s <VirtualHost *:443> SSL configuration.
(4) Question
Where and how can we edit the SSL options for Virtualmin over port 10000 or 20000 or any other ports, to use the above settings for port 443, since it doesn’t seem to be using Apache2 and its settings at all.