[BlueOnyx:21232] Re: Changes to ssl_perl.conf

[Michael Stauber]

Hi Robert,

> I have a VPS user who requested to have TLS 1.0 and TLS 1.1 disabled to
> meet new upcoming PCI requirements. Will the change below get
> overwritten on updates?
> 
> [root at vps ~]# diff /etc/httpd/conf.d/ssl_perl.conf.default
> /etc/httpd/conf.d/ssl_perl.conf
> 138c138
> <             SSLProtocol                 => "+ALL -SSLv2 -SSLv3",
> ---
>>             SSLProtocol                 => "+ALL -SSLv2 -SSLv3 -TLSv1
>> -TLSv1.1",

Editing /etc/httpd/conf.d/ssl_perl.conf has no impact at all on the SSL
implementation of a Vsite with SSL enabled. The SSL for Vsites is added
directly into the SSL <VirtualHost> container in the ...

/etc/httpd/conf/vhosts/siteX

... file such as this:

<VirtualHost *:443>
SSLengine on
SSLCompression off
SSLProtocol +ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA

SSLCACertificateFile /home/.sites/28/site1/certs/ca-certs
SSLCertificateFile /home/.sites/28/site1/certs/certificate
SSLCertificateKeyFile /home/.sites/28/site1/certs/key
...
</VirtualHost>

And that file will occasionally be edited or rebuilt by the GUI and
would bring back TLSv1 and TLSv1_1.

You would need to edit
/usr/sausalito/handlers/base/apache/virtual_host.pl which does set these
options whenever SSL for a Vsite is modified. And even then that will be
overridden by future base-apache updates.

I think it might be a good idea to add a GUI switch that allows to
disable TLSv1 and TLSv1.1 as the need to turn it off might eventually
become more pressing than just to satisfy the fancy of PCI compliance.

-- 
With best regards

Michael Stauber