I can't understand how SSLProtocol, SSLCipherSuite etc. are set using certbot-apache plugin

Hello,

OS : Ubuntu Server 20.04 LTS
Web server : Apache/2.4.41 (Ubuntu)
certbot plugin : certbot-apache

After many researches on the web and in certbot-apache code (I am not a developer though), I still can't understand how SSLProtocol, SSLCipherSuite etc. are set using certbot-apache plugin.

In /etc/apache2/sites-enabled/domain-le-ssl.conf, I have the following :

Include /etc/letsencrypt/options-ssl-apache.conf

In Include /etc/letsencrypt/options-ssl-apache.conf, I have :

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

But, when I scan my domain using SSLLabs, the result is that my web server only works using TLSv1.2 and TLSv1.3.

My question is : how is it possible ? Can someone explain to me how certbot-apache plugin sets SSLProtocol, SSLCipherSuite and where it is stored on the server ?

Thank you.

RO

Exactly how you have described, using the options-ssl-apache.conf file!

I can think of two possibilities:

  1. Your domain is behind a CDN (like Cloudflare)

  2. You have some SSLProtocol in some other part of your configuration which is taking precedence:

     sudo grep -Ri sslprotocol /etc/apache2
2 Likes

Thank you for your reply.

My domain is not behind a CDN. It is simply hosted on a VPS.

I ran the command sudo grep -Ri sslprotocol /etc/apache2 and got :

/etc/apache2/mods-enabled/ssl.conf:	SSLProtocol all -SSLv3
/etc/apache2/mods-available/ssl.conf:	SSLProtocol all -SSLv3

It is not what it is supposed to be configured (SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 for example)

I still can't understand how it all works :frowning:

Hello @_romaino,

By default, Ubuntu 20.04 disables all TLS protocols below 1.2. If you want to offer TLSv1 and TLSv1.1 protocols you can edit file /etc/apache2/mods-enabled/ssl.conf and add at the end of the directive SSLCipherSuite this :@SECLEVEL=1

Example:

SSLCipherSuite HIGH:!aNULL:@SECLEVEL=1

Note: Remember to restart apache.

Cheers,
sahsanu

2 Likes

@sahsanu that's pretty subtle! It's a good reminder that parts of a configuration can come not only from configuration files visible in /etc, but also from package defaults (when the package was created by the operating system packager).

1 Like

Hello @sahsanu,

Thanks for your reply.

I tried to edit /etc/apache2/mods-enabled/ssl.conf and add at the end of the SSLCipherSuite directive :@SECLEVEL=1 but it didn't work. TLSv1.0 and TLSv1.1 were not working.

So I tried to edit /etc/letsencrypt/options-ssl-apache.conf and add at the end of the SSLCipherSuite directive :@SECLEVEL=1 and it did work!

I don't have to enable these protocols but I am just trying to understand how certbot-apache works and how it edits configuration files.

So now my question is: why is /etc/letsencrypt/options-ssl-apache.conf file using weak configuration by default?

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"

Plus, it says

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

Here on Ubuntu 20.04, thanks to the OS package, weak configurations are disabled by default, so there is no problem. But I am having a hard time understanding why certbot-apache doesn't use a better configuration file with strong configuration by default even though Ubuntu 20.04 disables all TLS protocols below 1.2.

Thanks.

_romaino

Seems the conf file /etc/letsencrypt/options-ssl-apache.conf you are using is a bit old, new version of this file disables TLSv1 and TLSv1.1 protocols.

What's the certbot version you are using?

certbot package version

sudo certbot --version
certbot 0.40.0

I also have python3-certbot-apache installed on my server.

I see that I don't have neither the current version nor the old one on that github repo. Weird!

edit:
Okay. I think I might have found the solution.
I installed certbot from Ubuntu 20.04 LTS repositories. The version here is very old, so I think I have to use the snap version of certbot. Is that correct ?

1 Like

Yes, version 0.40 is a bit old, it was released on November, 2019. If you want to have an updated certbot, yes, use the snap version.

Before installing the snap version, remember to backup /etc/letsencrypt/ dir and remove installed certbot package (don't use purge to remove your installed certbot version).

FWIW, Operating System packages are almost always outdated. While ubuntu often packages a release relatively quickly when they want to support something, they often trail off on non-critical updates to handle more important things. 18.04 and 20.04 both are LongTermSupport, but have rather old versions. For example:

ubuntu version certbot version ubuntu packaged certbot released
18.04 LTS 0.23.0 06 Apr 2018 04 Apr 2018
20.04 LTS 0.40.0 05 Nov 2019 05 Nov 2019
20.10 1.7.0 04 Aug 2020 04 Aug 2020
- 1.12 - 02 Feb 2021
- 1.13 - 04 Mar 2021
1 Like

Hello,

@sahsanu @jvanasco

Thanks for your replies.

I saved my /etc/letsencrypt/ dir and removed installed certbot package from Ubuntu repositories.
I installed snapd + certbot snap package.

Now my certbot package version is 1.13.0, which is recent.

sudo certbot --version
certbot 1.13.0

I re-issued my certificates.
Now, /etc/letsencrypt/options-ssl-apache.conf is good!

# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

Thanks to all of you I now understand how certbot works.
I am closing this topic.

Have a great weekend!

Cheers,
_romaino

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.