Cipher Management for SSL/TLS (HTTPD, FTPS)

Customers using their own wildcard certificates as opposed to certificates provided and managed by Let's Encrypt may need to update the set of ciphers used for encrypted traffic.

Working as root you will edit the file:

/etc/httpd/conf.d/ssl.conf

In the beginning of the file there is a section which lists the protocols and the ciphers. The values we recommend are below:

#   SSL Protocol support:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder Off

#   SSL Cipher Suite:
SSLCipherSuite  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

To restart Apache HTTPD, as root run:

systemctl restart httpd

Supported SSL Ciphers can be updated in the file:

/var/www/smestorage/containers/cloudftp/configs/ftpserver.conf

Check the following settings:

# The SSL version.
# List of all supported values:
#   ALL
#   SSLv3
#   SSLv3+TLSv1.0+TLSv1.1+TLSv1.2
#   TLSv1.0
#   TLSv1.0+TLSv1.1+TLSv1.2
#   TLSv1.1+TLSv1.2
#
# 'ALL' means allow all supported protocols.
# 
# Example:
# ssl_version=TLSv1.0+TLSv1.1+TLSv1.2
ssl_version=TLSv1.1+TLSv1.2
    
# Set the ciphers list for the SSL/TLS connections
# See the OpenSSL documentation ( http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS ) for more details.
# The command `openssl ciphers` return list of all supported ciphers
#
# Examples:
#     ssl_cipher_list=ALL:!LOW:!EXP:!aNULL
#     ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2
#     ssl_cipher_list=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
#
# The default value:
# ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES
ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES

To restart the FTPS (and FTP) services, run:

cd /var/www/smestorage/containers/cloudftp
docker-compose restart