Remove SSLCipherSuite from vhost config: HTTP/1 regression (#4091) and HTTP/2 issue
While server re-hardening after upgrading to ISPConfig 3.2 it became apparent Apache's ciphers are ignored. I found that
SSLCipherSuite is being set again for each individual vhost (/etc/apache2/sites-available/example.com.vhost) contrary to issue #4091 (closed).
Sample from 3.1.15p2:
40: <tmpl_if name='ssl_enabled'> 41: <tmpl_if name='enable_http2' op='==' value='y'> 42: Protocols h2 http/1.1 43: SSLProtocol All -SSLv2 -SSLv3 44: SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS' 45: </tmpl_if> 46: </tmpl_if>
In 3.2b1 this changed to, and remains:
52: <tmpl_if name='ssl_enabled'> 53: <IfModule mod_http2.c> 54: Protocols h2 http/1.1 55: </IfModule> 56: SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 57: SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS' 58: </tmpl_if>
Regression: As the SSL directives are no longer within the HTTP/2 test section they now apply to all protocols.
Issue: The section being there also recreates exactly the same issue as #4091 (closed) but for HTTP/2 connections.
Note: This does not seem to apply to NginX, the directives are commented out in
Remove the entire section above.
In my opinion the
SSLProtocol directive (and
SSLHonorCipherOrder directive) should also be controlled globally by Apache but even so, they are not needed here as they are applied later in the template to HTTP/1 and HTTP/2 protocols from line 80.
Edit /usr/local/ispconfig/server/conf/vhost.conf.master and comment out the above section.
From within ISPConfig go to Tools > Resync > Select Websites > Start
Server OS: Ubuntu 20.04.1 ISPConfig version: 3.2