I want to use different ciphers with Apache, using CustomBuild 2.0


Enter Your Query:
Use '%' for wildcards and quotes for "exact phrases"


Top Level » Apache Related Information
Top Level » CustomBuild » CustomBuild 2.0

I want to use different ciphers with Apache, using CustomBuild 2.0Last Modified: Apr 12, 2016, 4:24 pm
With the ever evolving needs for security, good encryption cipher lists can change regularly.   Also, the needs of those connecting to a given server may be different from box to box, eg:
  • some servers require the maximum standards of security
  • some clients have old browsers which cannot use modern ciphers
  • some API scripts cannot use modern ciphers
etc.. so each case might be different.

To use different ciphers with Apache 2.x and CustomBuild 2.0, you can use the "custom" folder method to manage your own cipher lists and ssl rules.

Run the following:

cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/conf/extra
cp configure/ap2/conf/extra/httpd-ssl.conf custom/ap2/conf/extra/httpd-ssl.conf

which then lets you edit:

/usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf

for changes such as:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

SSLHonorCipherOrder On

SSLCompression off

for example, if you wanted a more secure list of ciphers.
Note: the SSLCipherSuite list is all one long line.

This tool is very useful to get a good list for your scenario:
https://mozilla.github.io/server-side-tls/ssl-config-generator/

Once you've created the custom httpd-ssl.conf as desired, you can then install it with:

cd /usr/local/directadmin/custombuild
./build rewrite_confs


 
Related Helpfiles
I wish to customize /etc/httpd/conf/httpd.conf and not have custombuild revert it
Current SSL cipher lists for DirectAdmin servers

2003 JBMC Software, Suite 173  3-11 Bellerose Drive, St Albert, AB  T8N 1P7  Canada.  Mon-Fri 9AM-5PM MST