Cipher Management for SSL/TLS (HTTPD, FTPS)

last updated March 15, 2024

Customers using their own wildcard certificates as opposed to certificates provided and managed by Let's Encrypt may need to update the set of ciphers used for encrypted traffic.

Apache HTTPD

Working as root you will edit the file:

/etc/httpd/conf.d/ssl.conf

In the beginning of the file there is a section which lists the protocols and the ciphers. The values we recommend are below:

#   SSL Protocol support:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder Off

#   SSL Cipher Suite:
SSLCipherSuite  ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

To restart Apache HTTPD, as root run:

systemctl restart httpd

Cloud FTPS

Supported SSL Ciphers can be updated in the file:

/var/www/smestorage/containers/cloudftp/configs/ftpserver.conf

Check the following settings:

# The SSL version.
# List of all supported values:
#   ALL
#   SSLv3
#   SSLv3+TLSv1.0+TLSv1.1+TLSv1.2
#   TLSv1.0
#   TLSv1.0+TLSv1.1+TLSv1.2
#   TLSv1.1+TLSv1.2
#
# 'ALL' means allow all supported protocols.
# 
# Example:
# ssl_version=TLSv1.0+TLSv1.1+TLSv1.2
ssl_version=TLSv1.1+TLSv1.2
    
# Set the ciphers list for the SSL/TLS connections
# See the OpenSSL documentation ( http://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS ) for more details.
# The command `openssl ciphers` return list of all supported ciphers
#
# Examples:
#     ssl_cipher_list=ALL:!LOW:!EXP:!aNULL
#     ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2
#     ssl_cipher_list=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
#
# The default value:
# ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES
ssl_cipher_list=ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2:!RC4:!3DES

To restart the FTPS (and FTP) services, run:

cd /var/www/smestorage/containers/cloudftp
docker-compose restart