Skip to content

GitLab

I
ISPConfig 3
Closed
Opened by Super@User

Remove SSLCipherSuite from vhost config: HTTP/1 regression (#4091) and HTTP/2 issue

While server re-hardening after upgrading to ISPConfig 3.2 it became apparent Apache's ciphers are ignored. I found that SSLCipherSuite is being set again for each individual vhost (/etc/apache2/sites-available/example.com.vhost) contrary to issue #4091 (closed).

server/conf/vhost.conf.master

Sample from 3.1.15p2:

40: <tmpl_if name='ssl_enabled'>
41: 	<tmpl_if name='enable_http2' op='==' value='y'>
42: 		Protocols h2 http/1.1
43: 		SSLProtocol All -SSLv2 -SSLv3
44: 		SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
45: 	</tmpl_if>
46: </tmpl_if>

In 3.2b1 this changed to, and remains:

52: <tmpl_if name='ssl_enabled'>
53: 	<IfModule mod_http2.c>
54: 		Protocols h2 http/1.1
55: 	</IfModule>
56: 	SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
57: 	SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
58: </tmpl_if>

Regression: As the SSL directives are no longer within the HTTP/2 test section they now apply to all protocols.

Issue: The section being there also recreates exactly the same issue as #4091 (closed) but for HTTP/2 connections.

Note: This does not seem to apply to NginX, the directives are commented out in server/conf/nginx_vhost.conf.master.

Solution

Remove the entire section above.

In my opinion the SSLProtocol directive (and SSLHonorCipherOrder directive) should also be controlled globally by Apache but even so, they are not needed here as they are applied later in the template to HTTP/1 and HTTP/2 protocols from line 80.

Workaround

Edit /usr/local/ispconfig/server/conf/vhost.conf.master and comment out the above section.

From within ISPConfig go to Tools > Resync > Select Websites > Start

Environment

Server OS: Ubuntu 20.04.1 ISPConfig version: 3.2

References

#4091 (closed)

Edited by Marius Burkard