Remove SSLCipherSuite from vhost config: HTTP/1 regression (#4091) and HTTP/2 issue
While server re-hardening after upgrading to ISPConfig 3.2 it became apparent Apache's ciphers are ignored. I found that SSLCipherSuite
is being set again for each individual vhost (/etc/apache2/sites-available/example.com.vhost) contrary to issue #4091 (closed).
server/conf/vhost.conf.master
Sample from 3.1.15p2:
40: <tmpl_if name='ssl_enabled'>
41: <tmpl_if name='enable_http2' op='==' value='y'>
42: Protocols h2 http/1.1
43: SSLProtocol All -SSLv2 -SSLv3
44: SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
45: </tmpl_if>
46: </tmpl_if>
In 3.2b1 this changed to, and remains:
52: <tmpl_if name='ssl_enabled'>
53: <IfModule mod_http2.c>
54: Protocols h2 http/1.1
55: </IfModule>
56: SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
57: SSLCipherSuite 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS'
58: </tmpl_if>
Regression: As the SSL directives are no longer within the HTTP/2 test section they now apply to all protocols.
Issue: The section being there also recreates exactly the same issue as #4091 (closed) but for HTTP/2 connections.
Note: This does not seem to apply to NginX, the directives are commented out in server/conf/nginx_vhost.conf.master
.
Solution
Remove the entire section above.
In my opinion the SSLProtocol
directive (and SSLHonorCipherOrder
directive) should also be controlled globally by Apache but even so, they are not needed here as they are applied later in the template to HTTP/1 and HTTP/2 protocols from line 80.
Workaround
Edit /usr/local/ispconfig/server/conf/vhost.conf.master and comment out the above section.
From within ISPConfig go to Tools > Resync > Select Websites > Start
Environment
Server OS: Ubuntu 20.04.1 ISPConfig version: 3.2