Disable TLS 1.1 as default

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,888
Location
LT, EU
It doesn't remove custom httpd-ssl.conf, if it's setup in /usr/local/directadmin/custombuild/custom/ap2/conf/extra/ (official method).

Regarding TLS v1.1 - maybe /usr/local/directadmin/custombuild/custom/ap2/conf/ is the reason, if there is something inside? :)
 

BodisHS

Verified User
Joined
Jan 30, 2017
Messages
9
It doesn't remove custom httpd-ssl.conf, if it's setup in /usr/local/directadmin/custombuild/custom/ap2/conf/extra/ (official method).

Regarding TLS v1.1 - maybe /usr/local/directadmin/custombuild/custom/ap2/conf/ is the reason, if there is something inside? :)
I removed "httpd-ssl.conf" from that folder. There is nothing else in that folder.
Any idea how i renew the config, so it will pick up your intermediate setting? I'm running nginx_apache, if that helps
 
Last edited:

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,888
Location
LT, EU
What's the output of:
Code:
grep 'SSLProtocol' /etc/httpd/conf/extra/httpd-ssl.conf
 

BodisHS

Verified User
Joined
Jan 30, 2017
Messages
9
What's the output of:
Code:
grep 'SSLProtocol' /etc/httpd/conf/extra/httpd-ssl.conf
Sorry for the late response.
The output is: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1

Update: Now it only providing TLS1.2. Might have been cache, but it's working now. Thankyou

Next step will be TLS 1.3, but will have to migrate to CentOS 8 for the newer OpenSSL 1.1.1
 
Last edited:

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,555
@smtalk, Thank you. But I am not sure if we are ready to disable TLS 1.1 for email on our shared hosting servers just yet. We are currently using
Code:
ssl_configuration=intermediate
Would it be possible for you do add a new option in options.conf like this?:
Code:
ssl_email_configuration=old/intermediate/modern
So that we would have one configuration for exim/dovecot (ssl_email_configuration), and another for apache and everything else (ssl_configuration). With a new option like that, it would be possible for ourself to decide when the time is right to disable TLS 1.1 in email.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,888
Location
LT, EU
@smtalk, Thank you. But I am not sure if we are ready to disable TLS 1.1 for email on our shared hosting servers just yet. We are currently using
Code:
ssl_configuration=intermediate
Would it be possible for you do add a new option in options.conf like this?:
Code:
ssl_email_configuration=old/intermediate/modern
So that we would have one configuration for exim/dovecot (ssl_email_configuration), and another for apache and everything else (ssl_configuration). With a new option like that, it would be possible for ourself to decide when the time is right to disable TLS 1.1 in email.
As TLSv1.1 is going to be EOL soon, I'd suggest using /usr/local/directadmin/custombuild/custom/dovecot/conf/ssl.conf and /etc/exim.variables.conf.custom for any overrides.
 

wba

Verified User
Joined
Nov 12, 2008
Messages
10
How would we re-enable TLS 1.1 in /etc/exim.variables.conf.custom currently to many customer failing when trying to send email.
Thank you
 
Top