Disable TLS 1.1 as default

D

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,354
Please consider this feature request: Please disable TLS 1.1 as default in DirectAdmin before the end of the year.

The argument is that all major browsers will disable TLS 1.1 support at the beginning of 2020, here is the deadlines (the browsers will disasble TLS 1.0 and TLS 1.1 by those dates):

Code: 
Browser Name		Date
Microsoft IE and Edge	First half of 2020
Mozilla Firefox		March 2020
Safari/Webkit		March 2020
Google Chrome		January 2020

Here is a quote form last year blog post at SSLlabs: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols

TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible.
Click to expand...

Also, if your customers use the SSL Server Test at https://www.ssllabs.com/ssltest/ - the grade of your server will be capped to B from January 2020 if you still support TLS 1.1
 
Yes, that is what I mean. However maybe not email, I would have to study the implications on older email clients and how many that is still using them.
 
Last edited:
ikkeben said:
Not only that security advisery instances advised months / years before against still using these versions

Netherlands
https://english.ncsc.nl/publication...y-guidelines-for-transport-layer-security-tls

https://www.bsi.bund.de/SharedDocs/...ns/TechGuidelines/TG02102/BSI-TR-02102-2.html

Germany.
https://www.bsi.bund.de/SharedDocs/...LS_Version_2_0.pdf?__blob=publicationFile&v=2

USA NIST guidelines has also some documents
https://csrc.nist.gov/News/2019/nist-publishes-sp-800-52-revision-2
Click to expand...

It is so difficult to explain if hundreds of customers cannot use their email anymore because we suddenly disable TLS 1.1 and their OS or application does not support TLS 1.2 yet ;-)
Sometimes you have to find the middle road between security and usability, despite of what organizations *advice* us to do.
 
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
 
DirectAdmin Support said:
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
Click to expand...
THANKS

Hello John take care of the centos8 also while new
Systemwide crypto policies
Click to expand...
in combination with DA.

In my experience it is better to explain custommers , set a end date for them and go for it , while those custommers that don't mind updating their systems are mostly the bad ones, and giving headache ( they have breaches, virus, spamming, phising problems and worse blaming you if something goes wrong! ) :mad:

They have to be teached and managed to go for better updates and security. ( also if not they are a danger for the WEB)
 
Last edited:
@John,

So I guess it will be either a new token in web-servers templates, or a string replacement done by custombuild. A token would be more accurate and preferable I'd rather say.
 
OK, you can see the following files with the content:

- /etc/httpd/conf/extra/httpd-ssl-protocol.modern.conf

Code: 
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off


- /etc/httpd/conf/extra/httpd-ssl-protocol.intermediate.conf

Code: 
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off


- /etc/httpd/conf/extra/httpd-ssl-protocol.old.conf

Code: 
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder On

So it's almost there already. I don't find files included anywhere else yet.

Code: 
[root@server etc]# grep httpd-ssl-protocol -R /etc/httpd/conf/ /usr/local/directadmin/data/templates/
[root@server etc]#

So it will be the next step I believe.
 
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.
 
smtalk said:
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.
Click to expand...

Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?
 
ditto said:
Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?
Click to expand...

As mentioned in "opt_help" (CB documentation), the list is generated from https://ssl-config.mozilla.org. No, they don't only apply to apache. They're also applied to OpenLiteSpeed, LiteSpeed, Nginx, ProFTPd and Pure-FTPd. The list might be extended in the future.
 
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?
 
ditto said:
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?
Click to expand...

As it prefers TLSv1.3 on modern set, it’d need to be a system with OpenSSL 1.1 (CentOS8, Debian9/10).
 
Is this customizable without getting overwritten? Currently this cipher suite set w/ litespeed does not support IE11 in Win7 or Win8 and we would like to make a couple changes to address that.
 
Yes, you may use the official way of customizing configuration files (place them to custom/ap2/conf/extra), or just use "old" configuration there instead of "itermediate".
 
Hi smtalk,
I just noticed this feature and did the following:
- Deleted my custom httpd-ssl.conf from the conf/extra folder.
- Ran the following command
Code: 
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs

After this it still uses tls 1.1 and tls1.2 even though it's on Intermediate (which only uses tls1.2 and tls1.3 if i'm correct?)
Any idea what i could be doing wrong?
 
Last edited:
You must log in or register to reply here.
Back
Top