Virtual Host has TLSv1 and TLSv1.1 disabled by default

Hello,

We've noticed on two new server builds (CentOS 7), new virtual hosts / domains created with SSL enabled have TLSv1 and TLSv1.1 disabled in the httpd config by default. Is this an intended update? It currently means any websites would lose traffic from Internet Explorer 8-10 on Windows 7 and some other devices (Android 4.3) etc.

Is there a way to change what it is set to by default in Virtualmin so it only disabled SSLv2 and SSLv3 for now?

Thanks

Status: 
Active

Comments

Yes, it is intentional - those old TLS versions have a bunch of vulnerabilities and are not recommended to even be offered due to the risk of protocol downgrade attacks.

In the current code, there's no way to prevent this directive from being added, sorry.

Will there be any plans to add a way to configure this globally in the near future?

The majority of our clients would not be happy with losing support for Windows 7 IE8-10 and Android 4.3 and lower and the fact this is added everytime a VirtualHost is created is a nuisance as we have to remember an additional step to do (editing SSL versions support on vhost or the apache config). If it's not us adding the sites, then the client would have to be aware on how to do this otherwise they unwittingly lose support for those visitors.

I'm surprised this has been added with no workaround, I'm all for security and ensuring we try to run the most secure protocols and systems as possible, but potential lost business on websites unwittingly on this version is a major issue.

Well, there's some pretty significant vulnerabilities with those protocols. It shouldn't prevent IE 8-10 from working, though it could potentially prevent unpatched versions of some browsers from working.

If you really wish to continue with those vulnerabilities, you could always comment out the parts of the Apache config that are restricting the SSL version to newer protocols.

Have a look at https://en.wikipedia.org/wiki/Transport_Layer_Security#POODLE_attack for details on some of the TLS 1.1 and lower vulnerabilities.

Personally, I would recommend only changing this setting for websites that have clients that don't support the newer TLS versions. You can change it by editing the Apache config after domain creation, and Virtualmin won't revert your change.

I fully understand the vulnerabilities in these versions. It will prevent IE8 to 10 working on Windows 7 unless they have specially gone into the Settings on the browser and enabled higher TLS 1.2.

I understand the need for security. However what I dislike most about the way browsers handle this is it isn't obviously clear to visitors to sites why they can't connect to that site using their browser (if it doesn't support TLSv1.2). Browsers do need to improve this but it won't happen in versions IE8-10 on Windows 7 as it's no longer actively supported (other than security updates I believe). Also The Poodle vulnerability to TLS v1.x from what I understand doesn't affect systems such as CentOS 6+ (maybe even 5 if I understood correctly) as the crypto libraries on these systems aren't vulernable (see https://bugzilla.redhat.com/show_bug.cgi?id=1171965)

I just feel this is slightly premature to implement without a programmatical, global, configuration option to ensure we can specify if we actually want it.

Fortunately I run SSL lab tests on websites we deploy onto servers to help verify everything is configured as expected, and I noticed the lack of support in comparison to previous tests. If this hadn't of been picked up and the site had continued running, they would have lost around 2% of their traffic, maybe more, as the systems that interact with the site can be quite old. If this then affected the revenue generated from their site it would have been a noticeable sum to the client without any thought on why the sudden decrease.

Is there anyway newsletters or lists I can subscribe to where updates like these are made clear?

Secondly, if I update (yum update) an existing CentOS 7 (or 6), will this start occurring on new websites on there too?

Thank you.

I will add a template-level option in the next Virtualmin release to allow the SSL protocols to allow or reject to be customized.

Upgrading CentOS won't change the settings for an existing website - they are only determined at creation time.

Thanks Jamie.

If I update a virtualmin installation to the newest version, and then create a website, will that have the newest SSL policies (e.g. rejecting TLS1, 1.1, SSL3)? That's the one I'm most concerned about in my question as will need to go and check some servers clients use to deploy multiple websites, as they are likely unaware of this.

Yes, that's correct.