Hi,
I finally managed to get my certificate, nice!
https://www.benjaminthompson.org
I would like to disable TLSv1 though.
When I look after /etc/httpd/conf.d/ssl.conf file doesn’t exist?
So how and where do I make the changes?
Thanks
Hi,
I finally managed to get my certificate, nice!
https://www.benjaminthompson.org
I would like to disable TLSv1 though.
When I look after /etc/httpd/conf.d/ssl.conf file doesn’t exist?
So how and where do I make the changes?
Thanks
first try locating the vhost config file:
grep -ri benjaminthompson.org /etc/httpd
Hi rg305,
I get:
grep: /etc/httpd: No such file or directory
Thanks
is it below /etc/apache2/ ? if not, could you tell us a little more about your config ( what is your OS etc )
From your other posts - probably
/etc/apache2/sites-available/benjaminthompson.org.conf
/etc/apache2/sites-available/benjaminthompson.org-lessl.conf
Hi serverco,
/etc/apache2/sites-available/benjaminthompson.org.conf
<VirtualHost *:80>
ServerName benjaminthompson.org
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =benjaminthompson.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
<VirtualHost *:80>
ServerName www.benjaminthompson.org
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.benjaminthompson.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
/etc/apache2/sites-available/benjaminthompson.org-le-ssl.conf
ServerName benjaminthompson.org DocumentRoot /var/www/html SSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf ServerName www.benjaminthompson.orgSSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
I’m having issues getting caching plugins to work since I got my SSL certificate, don’t know if my issues are related.
Thanks
I’m using puTTY from WIN10
I’d suggest using https://mozilla.github.io/server-side-tls/ssl-config-generator/ to provide the optimal config for your site.
Adding
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
in your config after the
SSLCertificateFile /etc/letsencrypt/live/www.benjaminthompson.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.benjaminthompson.org/privkey.pem
lines will disable SSLv3, TLSv1 and TLSv1.1 although that will also prevent connection from some of the less modern browsers.
You should also check if these are set at all in
/etc/letsencrypt/options-ssl-apache.conf
Thanks!
How is my /etc/letsencrypt/options-ssl-apache.conf supposed to look after I have disabled TLsv?
This is how it is now:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-
SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-
AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-
SHA256:ECDHE-EC$
SSLHonorCipherOrder on
SSLCompression off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log
# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
I will install https://mozilla.github.io/server-side-tls/ssl-config-generator/
and add:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Right now.
Thanks!
You don’t need to “install” the mozilla SSL config generator - it’s a web page that gives you example configs.
As long as the /etc/letsencrypt/options-ssl-apache.conf doesn’t include any SSLProtocol line, which would overwrite the previous one - then that’s fine.
PERFECT!!!
https://www.whynopadlock.com/results/e38afde3-320d-4f51-9388-63fbac1086c4
Thank you very much sir !
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.