Knowledgebase
I want to use different ciphers with Apache, using CustomBuild 2.0
- some servers require the maximum standards of security
- some clients have old browsers which cannot use modern ciphers
- some API scripts cannot use modern ciphers
To use different ciphers with Apache 2.x and CustomBuild 2.0, you can use the "custom" folder method to manage your own cipher lists and ssl rules.
Run the following:
cd /usr/local/directadmin/custombuild
mkdir -p custom/ap2/conf/extra
cp configure/ap2/conf/extra/httpd-ssl.conf custom/ap2/conf/extra/httpd-ssl.conf
/usr/local/directadmin/custombuild/custom/ap2/conf/extra/httpd-ssl.conf
for changes such as:SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder On
SSLCompression off
Note: the SSLCipherSuite list is all one long line.
This tool is very useful to get a good list for your scenario:
https://mozilla.github.io/server-side-tls/ssl-config-generator/
Once you've created the custom httpd-ssl.conf as desired, you can then install it with:
cd /usr/local/directadmin/custombuild
./build rewrite_confs
To disable TLSv1.1 and only allow TLSv1.2 and TLSv1.3 on OpenLiteSpeed:
echo '|?SSLPROTOCOL=24|' >> /usr/local/directadmin/data/templates/custom/openlitespeed_vhost.conf.CUSTOM.pre
/usr/local/directadmin/custombuild/build rewrite_confs