Current SSL cipher lists for DirectAdmin servers


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » System Level

Current SSL cipher lists for DirectAdmin serversLast Modified: Apr 7, 2017, 3:31 pm
Here is the current SSL cipher list for DirectAdmin servers.
Take note of the Last Modified date, to the top right of the guide.
Included are the paths to edit, and values to use.

1) Apache:

/etc/httpd/conf/extra/httpd-ssl.conf

SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

If you wish to have a more secure list of ciphers, as the cost of blocking some older clients, you can use this guide.


2) Nginx/Proxy

/etc/nginx/nginx-defaults.conf

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;



3) Dovecot: 2.1+

/etc/dovecot/conf/ssl.conf

ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP



4) Exim: 4.80+

/etc/exim.variables.conf

openssl_options = +no_sslv2 +no_sslv3
tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

See this guide on how to change the exim.variables.conf settings via the exim.variables.conf.custom file.


5) DirectAdmin: current binaries only allow TLSv1.2

/usr/local/directadmin/conf/directadmin.conf

ssl_cipher=HIGH:!aNULL:!MD5


Binaries older than October 16, 2014 use this:

ssl_cipher=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP


If you're using an OS that doesn't support TLSv1.2 (aka: CentOS 5), then you'd have no choice but to get the newer pre-release binaries, or wait for 1.46.3.


6) Pure-FTPd:

/etc/init.d/pure-ftpd
/usr/libexec/pureftpd_startscript

OPTIONS="${OPTIONS} -Y 1 -J -S:HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"



7) ProFTPd:

/etc/proftpd.conf

TLSProtocol TLSv1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3



Once all services are set, restart all services.

Related thread:
http://forum.directadmin.com/showthread.php?t=50099

Handy cipher generator



 
Related Helpfiles
How to check your SSL ciphers to make sure they don't accept SSLv3
I want to use different ciphers with Apache, using CustomBuild 2.0

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST