| Page 1 of 2 | 1 | 2 | > | >> | All |
| Posted By: peopleinside on March 30, 2020, 8:47 pm |
|
OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates.
https://www.openssl.org/news/vulnerabilities-1.0.2.html We are on march and no OpenSSL update, no support of TLS 1.3The support of TLS 1.3 has been introduced on 2017?https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ Still not supported in Webuzo. Hope you can asap update OpenSSL.Security are important, i confide in that when I use your panel. Thank you very much! ----------------------- PeopleInside 
Web, security, open source passionate. |
| Posted By: peopleinside on October 14, 2020, 9:30 am | Post: 2 |
|
Quote From : kulonuwun October 14, 2020, 7:35 am webuzo must update it's application. The GRADE of letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure.
Webuzo Team really "must" upgrade OpenSSL but you need Centos 8 to use the new OpenSSL so your operative system must be also updated. Regarding the score B at the moment this is related to your Apache configuration, maybe default Webuzo Apache configuration because I still have A+ You can try to edit your Apache config changing the chippers suite and redoing the scan using clear cache link on top of SSL LABS. For secure chippers you can get help here: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 ----------------------- PeopleInside
Web, security, open source passionate. |
| Posted By: kulonuwun on October 14, 2020, 10:05 am | Post: 3 |
|
Yes i already installed Centos 8 but still got Grade B.
So i want to edit apache configuration using webuzo by following your guidance here : https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 But i don't know location of letsencrypt path for cert and private key in webuzo : SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams SSLCertificateKeyFile /path/to/private_key I already purchased webuzo license so i hope there is a solution for this. Thanks |
| Posted By: peopleinside on October 14, 2020, 10:09 am | Post: 4 |
|
You need only change the chipersuite not the patch of the certificate.Can you share your domain here or the link with SSL LABS results so I can take a look where the issue can be?
----------------------- PeopleInside
Web, security, open source passionate. |
| Posted By: peopleinside on October 14, 2020, 10:23 am | Post: 6 |
|
Hi, the ticket will be review by the Webuzo team.I cannot grant when they will reply but maybe they will.
You need just try to change the Chipers on your Apache if the score is not good and should be a change valid for all domain so you don't need configure for each domain. First of all backup your Apache config file as text than you can try to search for the line with SSLCipherSuite and replace the fiull line with Code SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305  HE-RSA-AES128-GCM-SHA256 HE-RSA-AES256-GCM-SHA384than you can save and restart Apache and do a new SSL LAB scan. You can also decide to wait for a reply to your ticket. I'm not part of Webuzo team, I'm just an user. ----------------------- PeopleInside
Web, security, open source passionate. |
| Posted By: kulonuwun on October 14, 2020, 10:31 am | Post: 7 |
|
Sorry i can't find SSLCipherSuite text in apache configuration. Check the attachment. Should i add it manuallly ?
|
| Posted By: peopleinside on October 14, 2020, 11:05 am | Post: 8 |
|
Try to use the browser search function or copy the Apache text configuration, paste in notepad ++
Chipers suite is present for sure. ----------------------- PeopleInside
Web, security, open source passionate. |
| Posted By: peopleinside on October 14, 2020, 11:19 am | Post: 11 |
|
Sound strange no chippers suite.Maybe you are using the old Apache?
On the main home of Webuzo in the left search bar digit Apache, you will see two Apache listed.You should install Apache 2.4 that is the most updated, once installed you should make default or you should check the check box to use as default. Try to see if in this case Chippers are presents, if not you can try to add the relative line always after do a backup of the configuration so you can resume in case of any issue. ----------------------- PeopleInside
Web, security, open source passionate. |
| Posted By: peopleinside on October 14, 2020, 11:43 am | Post: 13 |
|
Are you still get score B also with Apache 2.4?If yes and if Chipersuite line is missed you can add it after a backup than you can do a new scan after restart Apache.
I'm using Let's Encrypt on Webuzo, Apache 2.4 and I have A score.I have of curse Chiperssuite line but i customized my Apache to be secure. ----------------------- PeopleInside
Web, security, open source passionate. |