Ehm... If you don't have a specific reason to keep TLS 1.0 and 1.1 enabled, turn them off.
2 Likes
what is the significance of turning them off compared to what I have running now?
I entered my settings in the form there and it produced this
# generated 2022-02-17, Mozilla Guideline v5.6, Apache 2.4.38, OpenSSL 1.1.1d, modern configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.38&config=modern&openssl=1.1.1d&guideline=5.6
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /path/to/signed_cert_and_intermediate_certs
SSLCertificateKeyFile /path/to/private_key
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>
# modern configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Not sure what to do with that data or how to turn off TLS 1.0 & 1.1
There are some vulnerabilities. I wouldn't turn off TLS 1.2.
(I'd use the intermediate config, only use the modern one you you know your clients very well)
Don't enable http strict transport security until you understand what it does, please.
2 Likes
Am I supposed to put this in each le-ssl.conf for each VirtualHost or in the file /etc/letsencrypt/options-ssl-apache2.conf ?
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
And does this section mess up my current ReWrite settings in the regular .conf file? Do I just add it to the bottom before </VirtualHost> ?
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
Leave it alone.
When you have some time, pick it back up. I'm not going to tell you to mess with a system that's working.
If you just want to turn off TLS 1.0 and 1.1, find the SSLProtocol directive on your server and modify it like the example.
1 Like
I just realized that config comes with your very old version of certbot. You can replace it if you know what you're doing, but it's probably better to just upgrade certbot.
1 Like
Thanks so much for everything. You are awesome. I will read about TLS and OCSP Stapling when I have time. I'm sure I'll figure it out. You guys have helped so much. Wish I could buy you a coffee. All I have is Ravencoin.
1 Like
This config ? /etc/letsencrypt/options-ssl-apache2.conf
Well my system is Debian 10. I have been thinking of upgrading to Bullseye maybe they have a newer version.
Yes, that one.
Currently certbot is distributed using snap, the version in apt is probably old in Debian 11 too.
1 Like
[side note:]
[Thanks for the 
]
[Cheers from Miami]
2 Likes
No prob RG
@9peppe if you have a paypal or XMR / RVN I can send you a few for your help as well. Cant thank you two enough. I was trying to get this solved for a few weeks and overlooked that issue completely.
I'm off to do my thing, peace.
1 Like
Don't worry about it 
1 Like
You could.
And you did.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.