Page 1 of 2 | 1 | 2 | > | >> | All |
Posted By: peopleinside on March 30, 2020, 8:47 pm |
OpenSSL 1.0.2 is out of support since 1st January 2020 and is no longer receiving updates.
https://www.openssl.org/news/vulnerabilities-1.0.2.html We are on march and no OpenSSL update, no support of TLS 1.3The support of TLS 1.3 has been introduced on 2017?https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/ Still not supported in Webuzo. Hope you can asap update OpenSSL.Security are important, i confide in that when I use your panel. Thank you very much! ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on October 14, 2020, 9:30 am | Post: 2 |
Quote From : kulonuwun October 14, 2020, 7:35 am webuzo must update it's application. The GRADE of letsencrypt in Webuzo is now B (check on SSL LABS). So it is very important to upgrade ASAP to make it more secure.
Webuzo Team really "must" upgrade OpenSSL but you need Centos 8 to use the new OpenSSL so your operative system must be also updated. Regarding the score B at the moment this is related to your Apache configuration, maybe default Webuzo Apache configuration because I still have A+ You can try to edit your Apache config changing the chippers suite and redoing the scan using clear cache link on top of SSL LABS. For secure chippers you can get help here: https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: kulonuwun on October 14, 2020, 10:05 am | Post: 3 |
Yes i already installed Centos 8 but still got Grade B.
So i want to edit apache configuration using webuzo by following your guidance here : https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1d&guideline=5.6 But i don't know location of letsencrypt path for cert and private key in webuzo : SSLCertificateFile /path/to/signed_cert_and_intermediate_certs_and_dhparams SSLCertificateKeyFile /path/to/private_key I already purchased webuzo license so i hope there is a solution for this. Thanks |
Posted By: peopleinside on October 14, 2020, 10:09 am | Post: 4 |
You need only change the chipersuite not the patch of the certificate.Can you share your domain here or the link with SSL LABS results so I can take a look where the issue can be?
----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on October 14, 2020, 10:23 am | Post: 6 |
Hi, the ticket will be review by the Webuzo team.I cannot grant when they will reply but maybe they will.
You need just try to change the Chipers on your Apache if the score is not good and should be a change valid for all domain so you don't need configure for each domain. First of all backup your Apache config file as text than you can try to search for the line with SSLCipherSuite and replace the fiull line with Code SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 HE-RSA-AES128-GCM-SHA256 HE-RSA-AES256-GCM-SHA384 than you can save and restart Apache and do a new SSL LAB scan. You can also decide to wait for a reply to your ticket. I'm not part of Webuzo team, I'm just an user. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: kulonuwun on October 14, 2020, 10:31 am | Post: 7 |
Sorry i can't find SSLCipherSuite text in apache configuration. Check the attachment. Should i add it manuallly ?
|
Posted By: peopleinside on October 14, 2020, 11:05 am | Post: 8 |
Try to use the browser search function or copy the Apache text configuration, paste in notepad ++
Chipers suite is present for sure. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on October 14, 2020, 11:19 am | Post: 11 |
Sound strange no chippers suite.Maybe you are using the old Apache?
On the main home of Webuzo in the left search bar digit Apache, you will see two Apache listed.You should install Apache 2.4 that is the most updated, once installed you should make default or you should check the check box to use as default. Try to see if in this case Chippers are presents, if not you can try to add the relative line always after do a backup of the configuration so you can resume in case of any issue. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on October 14, 2020, 11:43 am | Post: 13 |
Are you still get score B also with Apache 2.4?If yes and if Chipersuite line is missed you can add it after a backup than you can do a new scan after restart Apache.
I'm using Let's Encrypt on Webuzo, Apache 2.4 and I have A score.I have of curse Chiperssuite line but i customized my Apache to be secure. ----------------------- PeopleInside Web, security, open source passionate. |
Posted By: peopleinside on October 14, 2020, 12:01 pm | Post: 15 |
Quote From : kulonuwun October 14, 2020, 11:55 am IT WORKS. Now I get A Grade at SSL Labs
So i just add below line at the end of apache2 configuration then restart server. SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305 HE-RSA-AES128-GCM-SHA256 HE-RSA-AES256-GCM-SHA384 Anyway, thanks for your help. I really appreciate it. I'M glad and happy to read you have resolved.If you wanna get an A+ score you need add some extra Apache config for each domain you wanna protect. You can add extra apache config from the Webuzo home on left top of the panel.Extra config should be a txt file on your PC that is uploaded by Webuzo interface and should have inside: Code # Guarantee HTTPS for 1 Year
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" # Header always set Strict-Transport-Security "max-age=63072000;" #Header always set Content-Security-Policy "upgrade-insecure-requests;" Header set Content-Security-Policy "upgrade-insecure-requests" env=HTTPS Header always edit Set-Cookie "(?i)^((?:(?!;\s?HttpOnly).)+)$" "$1; HttpOnly" Header always edit Set-Cookie "(?i)^((?:(?!;\s?secure).)+)$" "$1; secure" Adding extra config is good but if you need for some reason unistall Apache need to remember before do that you need remove all Extra Apache config or once you install again Apache on your server will fail to load until you do not clean all extra apache config. This is a bad behaviour of Webuzo on my opinion as I think extra config should be removed with Apache if Apache is removed or Apache will fail to load. ----------------------- PeopleInside Web, security, open source passionate. |