I’ve just been looking through the existing threads that I can find on this topic and none seem to cover what I’m looking for. To wit, they mostly deal with an apache-only directive (“SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1”) which feels like a bad hack in that it must be done on a per-host basis. I don’t want to modify each host to tell it that it should only accept the good one of the servers three protocols; I want the server to only support the good protocol!
Background: I just set up SSL and put a site live. I did the https://www.ssllabs.com/ssltest/, got an A, and am now attempting to cover the warnings to up the score (not just for the sake of the score).
Environment: Debian 9 vm running nginx reverse proxy
Cetbot config file was autogenerated at /etc/letsencrypt/options-ssl-nginx.conf (see below). It warns you not to manually modify it yet it seems to contain everything needed. I am quite sure that my MANUAL step would be to remove the offending protocols from the ssl_protocols line and then do the same for the ssl_ciphers line. However, this solution would be a ticking time bomb that I do not want.
Since the file is autogenerated, it seems like there should be a way to pass to certbot which protocols/ciphers to allow. This would logically modify the include file which would pass its effect on to any ssl enabled domains.
Please advise as to how this can be accomplished.
This file contains important security parameters. If you modify this file
manually, Certbot will be unable to automatically provide future security
updates. Instead, Certbot will print and log an error message with a path to
the up-to-date file that you will need to refer to when manually updating
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;