# Cipher Management for SSL/TLS (HTTPD, FTPS) ##### last updated March 15, 2024 Customers using their own wildcard certificates as opposed to certificates provided and managed by Let's Encrypt may need to update the set of ciphers used for encrypted traffic. ## Apache HTTPD Working as root you will edit the file: /etc/httpd/conf.d/ssl.conf In the beginning of the file there is a section which lists the protocols and the ciphers. The values we recommend are below: ``` # SSL Protocol support: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder Off # SSL Cipher Suite: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ``` To restart Apache HTTPD, as root run: systemctl restart httpd ## Cloud FTPS Supported SSL Ciphers can be updated in the file: /var/www/smestorage/containers/cloudftp/configs/ftpserver.conf Check the following settings: ``` # The SSL version. # List of all supported values: # ALL # SSLv3 # SSLv3+TLSv1.0+TLSv1.1+TLSv1.2 # TLSv1.0 # TLSv1.0+TLSv1.1+TLSv1.2 # TLSv1.1+TLSv1.2 # # 'ALL' means allow all supported protocols. # # Example: # ssl_version=TLSv1.0+TLSv1.1+TLSv1.2 ssl_version=TLSv1.1+TLSv1.2 # Set the ciphers list for the SSL/TLS connections # See the OpenSSL documentation ( http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS ) for more details. # The command `openssl ciphers` return list of all supported ciphers # # Examples: # ssl_cipher_list=ALL:!LOW:!EXP:!aNULL # ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2 # ssl_cipher_list=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 # # The default value: # ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES ``` To restart the FTPS (and FTP) services, run: cd /var/www/smestorage/containers/cloudftp docker-compose restart