Created on 2015-Jun-22
Updated on 2015-Jun-22
Update SSLCipherSuite
Issue
Clicking the certificate info in chrome, you'll see a message:
"Your connection is encrypted using an obsolete cipher suite."
Solution
vi /etc/httpd/conf/extra/httpd-ssl.conf
Replace SSLCipherSuite with the following:
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS"
Restart Apache.
service httpd restart
Optional: Update ssl_cipher in directadmin.conf
vi /usr/local/directadmin/conf/directadmin.conf
Replace or add:
ssl_cipher=HIGH:!aNULL:!MD5
With:
ssl_cipher=EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+AESGCM EECDH EDH+AESGCM EDH+aRSA HIGH !MEDIUM !LOW !aNULL !eNULL !LOW !RC4 !MD5 !EXP !PSK !SRP !DSS
Then when you use custombuild, it will use the above settings in /etc/httpd/conf/extra/httpd-ssl.conf
Update SSL certificate chain resolver
Issue
Checking your certificate at ssllabs.com you'll see the following
"Chain issues Incomplete"
Solution
In directadmin, under your account SSL Certificates settings. Add the following under "Paste a pre-generated certificate and key":
Replace SSLCipherSuite with the following:
-----BEGIN RSA PRIVATE KEY----- (YOUR RSA KEY; should be there already) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (YOUR DOMAIN CERTIFICATE; should be there already) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (SSL ISSUER INTERMEDIATE CERTIFICATE; will be included in the same email your domain certificate came with) -----END CERTIFICATE-----