Disable TLS 1.1 as default

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
Please consider this feature request: Please disable TLS 1.1 as default in DirectAdmin before the end of the year.

The argument is that all major browsers will disable TLS 1.1 support at the beginning of 2020, here is the deadlines (the browsers will disasble TLS 1.0 and TLS 1.1 by those dates):

Code:
Browser Name		Date
Microsoft IE and Edge	First half of 2020
Mozilla Firefox		March 2020
Safari/Webkit		March 2020
Google Chrome		January 2020
Here is a quote form last year blog post at SSLlabs: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols

TLS 1.0 and TLS 1.1 protocols will be removed from browsers at the beginning of 2020. As there are no fixes or patches that can adequately fix SSL or deprecated TLS, it is critically important that organizations upgrade to a secure alternative as soon as possible.
Also, if your customers use the SSL Server Test at https://www.ssllabs.com/ssltest/ - the grade of your server will be capped to B from January 2020 if you still support TLS 1.1
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
Yes, that is what I mean. However maybe not email, I would have to study the implications on older email clients and how many that is still using them.
 

myH2Oservers

Verified User
Joined
Mar 13, 2006
Messages
235
Location
Netherlands
It is so difficult to explain if hundreds of customers cannot use their email anymore because we suddenly disable TLS 1.1 and their OS or application does not support TLS 1.2 yet ;-)
Sometimes you have to find the middle road between security and usability, despite of what organizations *advice* us to do.
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
8,937
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
651
Location
Netherlands Germany
Hi guys,

We're definitely working on this at the moment.
We're probably going to add an options.conf setting for this (apache/nginx), but possibly leaving email alone for the moment.
The new default will drop TLSv1.1 an older, but the option would allow you to set it to "old" so you'd still be able to use it if you need to drop it back down again.
Of course, it will also allow for easy customizing without overwrites (still deciding on the exact means to do this, but we're close)

Once done, it should be as simple as a build update and rewrite_confs.

John
THANKS

Hello John take care of the centos8 also while new
Systemwide crypto policies
in combination with DA.

In my experience it is better to explain custommers , set a end date for them and go for it , while those custommers that don't mind updating their systems are mostly the bad ones, and giving headache ( they have breaches, virus, spamming, phising problems and worse blaming you if something goes wrong! ) :mad:

They have to be teached and managed to go for better updates and security. ( also if not they are a danger for the WEB)
 
Last edited:

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,902
Location
GMT +7.00
@John,

So I guess it will be either a new token in web-servers templates, or a string replacement done by custombuild. A token would be more accurate and preferable I'd rather say.
 

zEitEr

Super Moderator
Joined
Apr 11, 2005
Messages
13,902
Location
GMT +7.00
OK, you can see the following files with the content:

- /etc/httpd/conf/extra/httpd-ssl-protocol.modern.conf

Code:
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off

- /etc/httpd/conf/extra/httpd-ssl-protocol.intermediate.conf

Code:
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

- /etc/httpd/conf/extra/httpd-ssl-protocol.old.conf

Code:
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder On
So it's almost there already. I don't find files included anywhere else yet.

Code:
[root@server etc]# grep httpd-ssl-protocol -R /etc/httpd/conf/ /usr/local/directadmin/data/templates/
[root@server etc]#
So it will be the next step I believe.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
ssl_configuration=modern/intermediate/old should be set in the options.conf in newest versions of CB 2.0.
Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?
As mentioned in "opt_help" (CB documentation), the list is generated from https://ssl-config.mozilla.org. No, they don't only apply to apache. They're also applied to OpenLiteSpeed, LiteSpeed, Nginx, ProFTPd and Pure-FTPd. The list might be extended in the future.
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,469
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Thank you for the information. Thats great. I will try it out soon. Should it be safe use "Modern" setting CentOS 7 servers also, or would it need to be CentOS 8 for that setting?
As it prefers TLSv1.3 on modern set, it’d need to be a system with OpenSSL 1.1 (CentOS8, Debian9/10).
 

hrtech

New member
Joined
Nov 18, 2019
Messages
1
Is this customizable without getting overwritten? Currently this cipher suite set w/ litespeed does not support IE11 in Win7 or Win8 and we would like to make a couple changes to address that.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,347
Location
LT, EU
Yes, you may use the official way of customizing configuration files (place them to custom/ap2/conf/extra), or just use "old" configuration there instead of "itermediate".
 

BodisHS

Verified User
Joined
Jan 30, 2017
Messages
8
Hi smtalk,
I just noticed this feature and did the following:
- Deleted my custom httpd-ssl.conf from the conf/extra folder.
- Ran the following command
Code:
cd /usr/local/directadmin/custombuild
./build update
./build rewrite_confs
After this it still uses tls 1.1 and tls1.2 even though it's on Intermediate (which only uses tls1.2 and tls1.3 if i'm correct?)
Any idea what i could be doing wrong?
 
Last edited:
Top