Table of Contents
Cipher Management for SSL/TLS (HTTPD, FTPS)
last updated March 15, 2024
Customers using their own wildcard certificates as opposed to certificates provided and managed by Let's Encrypt may need to update the set of ciphers used for encrypted traffic.
Apache HTTPD
Working as root you will edit the file:
/etc/httpd/conf.d/ssl.conf
In the beginning of the file there is a section which lists the protocols and the ciphers. The values we recommend are below:
# SSL Protocol support: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder Off # SSL Cipher Suite: SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
To restart Apache HTTPD, as root run:
systemctl restart httpd
Cloud FTPS
Supported SSL Ciphers can be updated in the file:
/var/www/smestorage/containers/cloudftp/configs/ftpserver.conf
Check the following settings:
# The SSL version. # List of all supported values: # ALL # SSLv3 # SSLv3+TLSv1.0+TLSv1.1+TLSv1.2 # TLSv1.0 # TLSv1.0+TLSv1.1+TLSv1.2 # TLSv1.1+TLSv1.2 # # 'ALL' means allow all supported protocols. # # Example: # ssl_version=TLSv1.0+TLSv1.1+TLSv1.2 ssl_version=TLSv1.1+TLSv1.2 # Set the ciphers list for the SSL/TLS connections # See the OpenSSL documentation ( http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS ) for more details. # The command `openssl ciphers` return list of all supported ciphers # # Examples: # ssl_cipher_list=ALL:!LOW:!EXP:!aNULL # ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2 # ssl_cipher_list=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 # # The default value: # ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES
To restart the FTPS (and FTP) services, run:
cd /var/www/smestorage/containers/cloudftp docker-compose restart