Due to a recent upgrade the SSLProtocol option has been forced to -SSLv3 -TLSv1 -TLSv1.1 for all the SSL domains (virtualservers). This is bad for compatibility.
TLSv1.2, the only protocol allowed here, is not accepted by all clients. All the ~5 years old systems support only up to TLSv1.1 and some only TLSv1 (smartphones... etc). So accepting only TLSv1.2 is very ambitious. A good list of browser support for TLSv1.2 : https://www.ssllabs.com/ssltest/clients.html
It seems there is actualy no way to change this settings globally.
The good way should be to have a global setting to enable the protocols we want, and, using this global setting as the default in the virtualserver, without removing the possibility to change the protocols used by virtualserver.
I don't find a way to set it by the API, which could be a workaround. Did I miss something ?
Thanks
Comments
Submitted by andreychek on Tue, 04/18/2017 - 08:26 Comment #2
Howdy -- yeah there are security issues with TLS1.1, unfortunately.
If you look in System Settings -> Server Templates -> Default -> Apache Website, what is "Apache SSL protocols to allow" set to?
Submitted by xorax on Wed, 05/10/2017 - 03:42 Comment #3
The option "Apache SSL protocols to allow" was set to the default "Disallow all unsafe protocols".
I successfuly be able to set it to : TLSv1 TLSv1.1 TLSv1.2
Then I created a virtualserver, and fortunately, the allowed protocols are now TLSv1 TLSv1.1 TLSv1.2 ( SSLProtocol TLSv1 TLSv1.1 TLSv1.2 )
Thanks a lot !
Submitted by xorax on Wed, 05/10/2017 - 03:43 Comment #4