Add to Favourites Add to Favourites    Print this Article Print this Article

Current SSL cipher lists for DirectAdmin servers

Here is the current SSL cipher list for DirectAdmin servers.
Take note of the Last Modified date, to the top right of the guide.
Included are the paths to edit, and values to use.

1) Apache:

/etc/httpd/conf/extra/httpd-ssl.conf

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

If you wish to have a more secure list of ciphers, as the cost of blocking some older clients, you can use this guide.


2) Nginx/Proxy

/etc/nginx/nginx-defaults.conf

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;



3) Dovecot: 2.3

/etc/dovecot/conf/ssl.conf

ssl_min_protocol = TLSv1.1
ssl_cipher_list = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Changing your SSL/TLS/cipher lists in dovecot

4) Exim: 4.91

/etc/exim.variables.conf

openssl_options=+no_sslv2 +no_sslv3
tls_require_ciphers=ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

See this guide on how to change the exim.variables.conf settings via the exim.variables.conf.custom file.


5) DirectAdmin: current binaries only allow TLSv1.2

/usr/local/directadmin/conf/directadmin.conf

ssl_cipher=HIGH:!aNULL:!MD5


Binaries older than October 16, 2014 use this:

ssl_cipher=ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-SSLv3:-EXP


If you're using an OS that doesn't support TLSv1.2 (aka: CentOS 5), then you'd have no choice but to get the newer pre-release binaries, or wait for 1.46.3.


6) Pure-FTPd:

/etc/init.d/pure-ftpd
/usr/libexec/pureftpd_startscript

OPTIONS="${OPTIONS} -Y 1 -J -S:HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3"



7) ProFTPd:

/etc/proftpd.conf

TLSProtocol TLSv1
TLSCipherSuite HIGH:MEDIUM:+TLSv1:!SSLv2:+SSLv3



Once all services are set, restart all services.

Related thread:
http://forum.directadmin.com/showthread.php?t=50099

Handy cipher generator



Was this answer helpful?

Also Read