TLSv1.1, TLSv1.2 checkboxes missing

Hi, I need to disable SSLv2, SSLv3 and enable TLSv1, TLSv1.1, TLSv1.2, upward for all virtual servers. However checkboxes are missing. The system runs centos6.7 and webmin 1.791

Can you fix this, plz?

Kind regards. Adriea

Status: 
Active

Comments

Are you looking to disable SSLv2 and v3 on your domain's regular website, or in the Virtualmin UI on port 10000?

I found the checkboxes to disable SSLv2 and v3 but not for enabling TLSv1.1 and v1.2.

If you disable SSLv2 and v3, only TLS v1.1 and 1.2 will be left.

Not quite:

  1. if all options are checked = has all versions (SSL2, SSL3, TLSv1, TLSv1.1, TLSv1.2)..
    (this removes "SSLProtocol" line from VirtualHost in virtualservers.conf (but global (ssl.conf) is ignored))

  2. When vhost only has TLSv1 checked = has TLSv1 and TLSv1.1, BUT TLSv1.2 is disabled;
    (this sets "SSLProtocol +TLSv1" in VirtualHost in virtualservers.conf)

  3. If I manually set this in VirtualHost in virtualservers.conf = will enable these "TLSv1, TLSv1.1, TLSv1.2".
    "SSLProtocol -All +TLSv1.2 +TLSv1.1 +TLSv1"

= So clearly needs those options..

~ Also it appears that global "SSLProtocol" settings in ssl.conf is ignored all together (this could be bug in OpenSSL + SNI).
(CentOS Linux 6.7, Apache/2.2.15, Webmin v1.791, Virtualmin v5.01.gpl)

Also at the moment i'm forced to manually edit each VirtualHost and add this line:
Header always set Strict-Transport-Security "max-age=15768000"
~ Maybe there is some way to add it automatically for SSL vhosts?
(as template is used for all vhosts)

You can set these kinds of options in the Apache config template - it's OK to set SSL options there, because even if they get included in the non-SSL vhost they will have no effect.

Is there any update on this issue?

I urgently and deliberately need to close down TLSv1 and TLSv1.1 and I have done almost everything possible, inlcuding few tweeks but still no use. https://gf.dev/ and ssllabs.com/ssltest/analyze.html and few more websites all show my TLSv1 and v1.1 is enabled

Just so you know, I have made changed following files with same content: nano /etc/apache2/apache2.conf nano /etc/apache2/sites-available/default-ssl.conf nano /etc/apache2/sites-available/1stdonain_in_shared_hosting.com.conf

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLProtocol -all +TLSv1.2 (tried both combination pevious and this line)
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!MD5:!3DES
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCompression off
SSLUseStapling on

SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Restart Apache, Restart Webmin, Restart Apache, Restart Server - stil no change. All these changes, restarting and testing has taken more than 12 hours now but I am still unable to get rid of TLS1 and 1.1

To add more information, I have also added the following line in: /etc/apache2/apache2.conf (not sure if this can actually create trouble)

<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;preload"
</IfModule>

Every Tom, Dick and Harry who is not using Virtualmin has got a score of A+ whereas I am on B. And I strongly believe as soon as I get this TLS issue sorted I will be on A if not A+.

Moreover this is very critical for me from PCIDSS and HIPAA compliance perspective as well..

Can anyone please take out some time and share some idea as to what else I should do/try.

@Diabolico you seem to be guru on this and you know how to get to A+, so any suggestion will be highy appreciated.

Many Thanks, Rav

Ilia's picture
Submitted by Ilia on Wed, 08/26/2020 - 09:40

Can anyone please take out some time and share some idea as to what else I should do/try.

These options can be set both globally and locally (per virtualhost).

For example, if you only wanted to allow TLS 1.2 and 1.3, the right directive would be SSLProtocol +TLSv1.2 +TLSv1.3.

You could use Virtualmin interface to change it on per virtualhost basis -

Note: After making those changes, you would need to click refresh button at top right of the screenshot, to apply configuration.

Just so you know, I have made changed following files with same content: nano /etc/apache2/apache2.conf nano /etc/apache2/sites-available/default-ssl.conf

Please don't use nano in this case senario. You'd better use Apache module and its super powerful config editor and searcher -

After editing service configuration files it must be restarted. In case of Apache you would use -

CentOS -

systemctl restart httpd

Debian/Ubuntu -

systemctl restart apache2

Thanks Ilia, but I have already tried that earlier. However as you pointed out some tips and tricks so I tried them again.

Just so you know, I don't have TLSv1.3 as an option - is that an issue?

I ticked TLSv1.2, saved it, it took me back to previous page... clicked refresh button. All went fine.

I then followed your 2nd screen shot, searched for all SLProtocol and oppend respective files and edited appropriate line with "SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1" rather than going for "SSLProtocol +TLSv1.2 TLSv1.2". I hope that should be fine. Right?

However, nothing has changed. I am still where I was 36 hours ago. I am still getting the message:

The server has TLS 1.0 enabled. It is non-compliant with NIST since SP 800-52 REV. 2 and non-compliant with PCI DSS since the 30th of June 2018.

The server has TLS 1.1 enabled. NIST recommends to drop TLS 1.1 support since SP 800-52 REV. 2

:-(

Any other suggestion would bld be highly appreciated.

Many Thanks, Rav

Ilia's picture
Submitted by Ilia on Thu, 08/27/2020 - 02:52

Any other suggestion would bld be highly appreciated.

Yes, try running:

virtualmin config-system -i Apache

You don't see TLS1.3 because of older software version distribution.

Thanks Ilia. Done that. Got 1/1 Configuring Apache and also a tick mark in te green box.

But the test still shows exact same error/warning/message. :-(

Ilia's picture
Submitted by Ilia on Thu, 08/27/2020 - 04:21

What domain is this, where exactly do you test it and what are expected results? In short please.

I have got multiple domains and tried an few of them and all of them are giving same error.

Here is a list for you: abcd.co.uk abcd.com abcd.co.uk xyz.abcd.co.uk pqr.abcd.co.uk lmno.abcd.co.uk Pls note: the last 3 domains are NOT subdomains undertheabsports.co.uk - they are all top level domain and independent of each other.

I have tried many websites to asses my server but here are the main 2 : 1.> https://www.ssllabs.com/ssltest/analyze.html 2.> https://www.immuniweb.com/ssl/

Ilia's picture
Submitted by Ilia on Thu, 08/27/2020 - 04:52

Status:
Active
»
Closed (works as designed)

Open a new private ticket and attach us a .zip archive of /etc/httpd or /etc/apache2 (whichever exists).

At first try though:

systemctl force-reload apache2
carrabelloy's picture
Submitted by carrabelloy on Thu, 08/27/2020 - 05:26 Pro Licensee

Status:
Closed (works as designed)
»
Active

Alles mal wieder in Englisch und wie ich Englisch schon wieder Hasse warum gibt es hier keine Deutsche Abteilung. Ich will kein Englisch können und es hat mich nie interessiert. Und wer was weltweit verkaufen will, muss da genauso vorgehen das man das auch mit anderen Sprachen anwenden kann. Ich habe es Installiert und komme nicht rein. Kein Passwort oder sonstiges. Wer soll sich hier noch zu Recht finden.

hallo carrabelloy,

evtl. kann ich dir als freiwilliger Übersetzer für webmin helfen.

Wenn ich dich richtig verstehe hats Du virtualmin installiert, aber kannst dich nicht anmelden.

Zuerst ein paar Fragen, damit ich besser einschätzen kann was du gerne erreichen möchtest.

  • welches Betriebsystem verwendest du? (BSD, SuSE Linux, Fedora Linux, ...)
  • was mochtest Du mit Virtualmin machen? (Linux verwalten, Webhosting verwalten ...)

Leider ist es so das in der IT vieles auf english ist und deutsch nur eine Sprache unter vielen ist die von Freiwilligen Übersetztern beigesteuert wird, so ist es auch im Fall von Virtualmin.

Virtualmin basiert auf Webmin, einer Oberflache zur Verwaltunvng von Linux Systemen, das bei den meisten Linux Derivaten als Paket enthalten ist. Evtl. ware es am einfachsten erst einmal Webmin von deiner Distrubituion zu installieren.