Disable TLS 1.1 as default

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,577
Please consider this feature request: Please disable TLS 1.1 as default in DirectAdmin before the end of the year.

The argument is that all major browsers will disable TLS 1.1 support at the beginning of 2020, here is the deadlines (the browsers will disasble TLS 1.0 and TLS 1.1 by those dates):

Code:
Browser Name		Date
Microsoft IE and Edge	First half of 2020
Mozilla Firefox		March 2020
Safari/Webkit		March 2020
Google Chrome		January 2020

Here is a quote form last year blog post at SSLlabs: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols

TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible.

Also, if your customers use the SSL Server Test at https://www.ssllabs.com/ssltest/ - the grade of your server will be capped to B from January 2020 if you still support TLS 1.1
 
Yes, that is what I mean. However maybe not email, I would have to study the implications on older email clients and how many that is still using them.
 

It is so difficult to explain if hundreds of customers cannot use their email anymore because we suddenly disable TLS 1.1 and their OS or application does not support TLS 1.2 yet ;-)
Sometimes you have to find the middle road between security and usability, despite of what organizations *advice* us to do.
 
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
 
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
THANKS

Hello John take care of the centos8 also while new
Systemwide crypto policies
in combination with DA.

In my experience it is better to explain custommers , set a end date for them and go for it , while those custommers that don't mind updating their systems are mostly the bad ones, and giving headache ( they have breaches, virus, spamming, phising problems and worse blaming you if something goes wrong! ) :mad:

They have to be teached and managed to go for better updates and security. ( also if not they are a danger for the WEB)
 
Last edited:
@John,

So I guess it will be either a new token in web-servers templates, or a string replacement done by custombuild. A token would be more accurate and preferable I'd rather say.
 
OK, you can see the following files with the content:

- /etc/httpd/conf/extra/httpd-ssl-protocol.modern.conf

Code:
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off


- /etc/httpd/conf/extra/httpd-ssl-protocol.intermediate.conf

Code:
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off


- /etc/httpd/conf/extra/httpd-ssl-protocol.old.conf

Code:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder On

So it's almost there already. I don't find files included anywhere else yet.

Code:
[root@server etc]# grep httpd-ssl-protocol -R /etc/httpd/conf/ /usr/local/directadmin/data/templates/
[root@server etc]#

So it will be the next step I believe.
 
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.
 
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.

Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?
 
Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?

As mentioned in "opt_help" (CB documentation), the list is generated from https://ssl-config.mozilla.org. No, they don't only apply to apache. They're also applied to OpenLiteSpeed, LiteSpeed, Nginx, ProFTPd and Pure-FTPd. The list might be extended in the future.
 
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?
 
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?

As it prefers TLSv1.3 on modern set, it’d need to be a system with OpenSSL 1.1 (CentOS8, Debian9/10).
 
Is this customizable without getting overwritten? Currently this cipher suite set w/ litespeed does not support IE11 in Win7 or Win8 and we would like to make a couple changes to address that.
 
Yes, you may use the official way of customizing configuration files (place them to custom/ap2/conf/extra), or just use "old" configuration there instead of "itermediate".
 
Hi smtalk,
I just noticed this feature and did the following:
- Deleted my custom httpd-ssl.conf from the conf/extra folder.
- Ran the following command
Code:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs

After this it still uses tls 1.1 and tls1.2 even though it's on Intermediate (which only uses tls1.2 and tls1.3 if i'm correct?)
Any idea what i could be doing wrong?
 
Last edited:
Back
Top