Mobile app version of vmapp.org
Login or Join
Alves908

: SSLCipherSuite settings not taking effect from Apache ssl.conf, only when duplicated in each virtual host I have an odd issue. The SSLProtocol config is getting applied in my ssl.conf file but

@Alves908

Posted in: #Apache #Https #Virtualhost

I have an odd issue. The SSLProtocol config is getting applied in my ssl.conf file but the SSLCipherSuite config is not. I have tested this by changing each option and running scan with Qualys SSL Labs.

After several hours of banging my head against the wall, I decided to try putting the SSLCipherSuite directly in one of my vHosts and instantly got an A+ rating.
So, I have the same ciphers in the ssl.conf and inside one of my vHosts in httpd.conf. When running scan against my vHost with the SSLCipherSuite, I get an A+, when I run the scan against one of my other vHosts (hoping the global ssl.conf will apply) I get a B.

I have 17 vHosts and I would prefer to figure this out with the global 'VirtualHost default:443' so I don't have to add this to every vHost individually.

- UPDATE 6/14 -

I am using Apache + Centos 6.5.

I have checked my httpd.conf and it does have Include conf.d/*.conf enabled by default which is the location of the ssl.conf file (./conf.d/ssl.conf)

With my version of Apache + CentOS it does not have available and enabled directories. Only a single conf.d directory where all .conf files reside.

I have checked the enabled vHosts with the command below and it does show my ssl.conf is loaded and the default vhost defined in that file is enabled.

# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443 is a NameVirtualHost
default server localhost (/etc/httpd/conf.d/ssl.conf:75)
port 443 namevhost localhost (/etc/httpd/conf.d/ssl.conf:75)
port 443 namevhost {mydomain}.com (/etc/httpd/conf/httpd.conf:1023)
port 443 namevhost .......
.......
.......(x60)


I have also performed a graceful reload

# apachectl configtest && apachectl -k graceful
Syntax OK

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Alves908

1 Comments

Sorted by latest first Latest Oldest Best

 

@Shakeerah822

You are definitely taking the correct approach, so let's test a couple things. I will assume current stable Apache + Ubuntu 16.04 for your server since that's very common, but adjust the commands / paths for your environment if different. You might have tried these already but it's usually something simple.

First, check that your main Apache config file at /etc/apache2/apache2.conf contains IncludeOptional conf-enabled/*.conf (near the bottom, should be present and un-commented by default).

Next, check that the config you wish to use is enabled. The fact that it exists is not good enough, it must also be enabled. Use the command a2enconf ssl if the configuration file you want to use is named ssl.conf and is present in /etc/apache2/conf-available/. If it's not there, or if you prefer to create a custom version, create a new file and enable it by name (e.g. nano /etc/apache2/conf-available/custom-ssl.conf && a2enconf custom-ssl)

Lastly, do a quick configtest and then a 'graceful' restart before you re-test with the third-party service (SSL Labs probably?). The graceful restart will wait until there are no active users and then restart, instead of terminating while people are still browsing your site(s).

apachectl configtest && apachectl -k graceful

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme