Change the SSL ciphers used by Apache2 in Plesk 11.5 and Ubuntu 12.04
2014-04
I want to change the configuration of my Apache2 server so that it accepts the following lines in order to disable weak TLS ciphers and enable perfect forward secrecy.
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+AESGCM EDH+AESGCM EECDH -RC4 EDH -CAMELLIA -SEED !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
However, I am being a bit confused. Plesk 11.5 was preinstalled on the server and is used to manage the Apache2 webserver. I changed the lines in
/etc/apache2/mods-enabled/ssl.conf
and restartet apache by typing
service apache2 restart
However, sslscan returns the following:
phil@phil-desktop:~$ sslscan www.phkr.de | grep Accepted
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits DHE-RSA-SEED-SHA
Accepted SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits DHE-RSA-SEED-SHA
Accepted TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
So I assume that I have to change the configuration elsewhere?
Any help appreciated, thanks!
I finally figured it out. Creating the file
/etc/apache2/conf.d/zz050-psa-disable-weak-ssl-ciphers.conf
and adding the lines to it did the trick.
Okay, it's clearly been a while since I've used linux (and apache). I'm just trying to create a new folder "newdir" under /var/www/html/ and editing index.html, which I'm only allowed to do with sudo, so all my files are "rooted". :-(
..and then, when I go to www.myserver.com/newdir/index.html, it's forbidden! (suprising...NOT)
So, my question is this. How do I correctly do this? Must I add every folder in the .conf file or something? I really couldn't find an good howto for this.
What I've done so far: only installed apache2 on ubuntu, nothing else.
chown or if you made directories chown -R, a less secure option is to make the apache user a login user and do your work from there