Clean up SSL-config at least for apache2 to disable TLS1.0 and make use of recommended settings
Whats wrong?
Using ispconfig with Apache and Lets Encrypt leads to a situation where one seems to have no chance to disable TLSv1.0. There is a setting in httpd.conf, maybe in httpd.conf.d, in the vhosts-File, in /etc/letsencrypt/options-ssl-apache.conf Some of them are rewritten if you change settings of the specific vhost, some not. The settings in /etc/letsencrypt/options-ssl-apache.conf seem to overwrite some settings. Some settings seem to be overwritten, when the ispconfig cronjobs run, but it is not exactly clear, which of those files are affected.
correct behaviour
Maybe it might be considered to clean up this mess ;-) Considerations:
- make use of the settings from https://cipherli.st/ and put them into the template-files for apache2/nginx/lighttpd
- create a graphical representation of how and when which setting wins, especially for apache2
- remove duplicates of settings or try to find out, who wins
- add option to set this stuff at a central place to be used for all vhosts (either as a textfile or as a setting in the GUI)
environment
Server OS: Ubuntu, but independent Server OS version: independent Webserver: Apache/2.4.18 ISPConfig version: 3.1.13p1