Change the SSL ciphers used by Apache2 in Plesk 11.5 and Ubuntu 12.04

05
2014-04
  • Phil

    I want to change the configuration of my Apache2 server so that it accepts the following lines in order to disable weak TLS ciphers and enable perfect forward secrecy.

    SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on 
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

    However, I am being a bit confused. Plesk 11.5 was preinstalled on the server and is used to manage the Apache2 webserver. I changed the lines in

    /etc/apache2/mods-enabled/ssl.conf

    and restartet apache by typing

    service apache2 restart

    However, sslscan returns the following:

    phil@phil-desktop:~$ sslscan www.phkr.de | grep Accepted
Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
Accepted  SSLv3  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  SSLv3  256 bits  AES256-SHA
Accepted  SSLv3  256 bits  CAMELLIA256-SHA
Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Accepted  SSLv3  168 bits  DES-CBC3-SHA
Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
Accepted  SSLv3  128 bits  DHE-RSA-SEED-SHA
Accepted  SSLv3  128 bits  DHE-RSA-CAMELLIA128-SHA
Accepted  SSLv3  128 bits  AES128-SHA
Accepted  SSLv3  128 bits  SEED-SHA
Accepted  SSLv3  128 bits  CAMELLIA128-SHA
Accepted  SSLv3  128 bits  RC4-SHA
Accepted  SSLv3  128 bits  RC4-MD5
Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
Accepted  TLSv1  256 bits  AES256-SHA
Accepted  TLSv1  256 bits  CAMELLIA256-SHA
Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
Accepted  TLSv1  168 bits  DES-CBC3-SHA
Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
Accepted  TLSv1  128 bits  DHE-RSA-SEED-SHA
Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA
Accepted  TLSv1  128 bits  AES128-SHA
Accepted  TLSv1  128 bits  SEED-SHA
Accepted  TLSv1  128 bits  CAMELLIA128-SHA
Accepted  TLSv1  128 bits  RC4-SHA
Accepted  TLSv1  128 bits  RC4-MD5

    So I assume that I have to change the configuration elsewhere?

    Any help appreciated, thanks!

    • Answers
  • Phil

    I finally figured it out. Creating the file

    /etc/apache2/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf

    and adding the lines to it did the trick.


    • Related Question

    Correct workflow when starting on a new webpage with apache2 (in ubuntu..)
  • Mikael Å

    Okay, it's clearly been a while since I've used linux (and apache). I'm just trying to create a new folder "newdir" under /var/www/html/ and editing index.html, which I'm only allowed to do with sudo, so all my files are "rooted". :-(

    ..and then, when I go to www.myserver.com/newdir/index.html, it's forbidden! (suprising...NOT)

    So, my question is this. How do I correctly do this? Must I add every folder in the .conf file or something? I really couldn't find an good howto for this.

    What I've done so far: only installed apache2 on ubuntu, nothing else.


    • Related Answers
  • hbdgaf

    chown or if you made directories chown -R, a less secure option is to make the apache user a login user and do your work from there