Disable TLS 1.1 as default

smtalk · Nov 29, 2019

It doesn't remove custom httpd-ssl.conf, if it's setup in /usr/local/directadmin/custombuild/custom/ap2/conf/extra/ (official method).

Regarding TLS v1.1 - maybe /usr/local/directadmin/custombuild/custom/ap2/conf/ is the reason, if there is something inside?

BodisHS · Nov 29, 2019

smtalk said:
It doesn't remove custom httpd-ssl.conf, if it's setup in /usr/local/directadmin/custombuild/custom/ap2/conf/extra/ (official method).

Regarding TLS v1.1 - maybe /usr/local/directadmin/custombuild/custom/ap2/conf/ is the reason, if there is something inside?

I removed "httpd-ssl.conf" from that folder. There is nothing else in that folder.
Any idea how i renew the config, so it will pick up your intermediate setting? I'm running nginx_apache, if that helps

smtalk · Nov 29, 2019

What's the output of:

Code:

grep 'SSLProtocol' /etc/httpd/conf/extra/httpd-ssl.conf

BodisHS · Dec 5, 2019

smtalk said:
What's the output of:

Code:

grep 'SSLProtocol' /etc/httpd/conf/extra/httpd-ssl.conf

Sorry for the late response.
The output is: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Update: Now it only providing TLS1.2. Might have been cache, but it's working now. Thankyou

Next step will be TLS 1.3, but will have to migrate to CentOS 8 for the newer OpenSSL 1.1.1

smtalk · Feb 8, 2020

ditto said:
Does these settings only apply to Apache? Would it be possible to post a description of the details of each setting?

Dovecot/Exim have been added to the list in CB 2.0 rev. 2404: https://forum.directadmin.com/threads/changelog.60248/#post-308542

ditto · Feb 8, 2020

@smtalk, Thank you. But I am not sure if we are ready to disable TLS 1.1 for email on our shared hosting servers just yet. We are currently using

Code:

ssl_configuration=intermediate

Would it be possible for you do add a new option in options.conf like this?:

Code:

ssl_email_configuration=old/intermediate/modern

So that we would have one configuration for exim/dovecot (ssl_email_configuration), and another for apache and everything else (ssl_configuration). With a new option like that, it would be possible for ourself to decide when the time is right to disable TLS 1.1 in email.

smtalk · Feb 8, 2020

ditto said:
@smtalk, Thank you. But I am not sure if we are ready to disable TLS 1.1 for email on our shared hosting servers just yet. We are currently using

Code:

ssl_configuration=intermediate

Would it be possible for you do add a new option in options.conf like this?:

Code:

ssl_email_configuration=old/intermediate/modern

So that we would have one configuration for exim/dovecot (ssl_email_configuration), and another for apache and everything else (ssl_configuration). With a new option like that, it would be possible for ourself to decide when the time is right to disable TLS 1.1 in email.

As TLSv1.1 is going to be EOL soon, I'd suggest using /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf and /etc/exim.variables.conf.custom for any overrides.

wba · Feb 12, 2020

How would we re-enable TLS 1.1 in /etc/exim.variables.conf.custom currently to many customer failing when trying to send email.
Thank you

zEitEr · Feb 12, 2020

See https://forum.directadmin.com/threa...-older-for-exim-and-dovecot.60422/post-309420

Disable TLS 1.1 as default

smtalk

Administrator

BodisHS

Verified User

smtalk

Administrator

BodisHS

Verified User

smtalk

Administrator

ditto

Verified User

smtalk

Administrator

wba

Verified User

zEitEr

Super Moderator