2

This is my first experience with Amazon Lighsail, Wordpress Multisite, Bitnami and even with Let's Encrypt; now it seems everything just works, except for SSL directives in my virtualhost file.

Because it seems that major browsers – aka Chrome, Safari/Webkit, Mozilla Firefox and IE/Edge - are going to remove support to TLS 1.0 and TLS 1.1, as soon as the beginning of the new year – precisely among January and March – I would want to know how to disable them for my new Wordpress Multisite instance in Lightsail.

After I obtained a Let’s Encript SSL certificate and successfully deployed it I tested it to verify that TLS 1.0 and TLS 1.1 are enabled along with TLS 1.2. Now it seems that my Apache version 2.4.39 supports also TLS 1.3 and I am trying to enable even it and disable the two older versions. Reading on the net I found that I must change the httpd.conf file to insert this directive

SSLProtocol -all +TLSv1.2

so, inside the httpd.conf file I found this block, that seems the right place: 

# Default SSL Virtual Host configuration.

<IfModule !ssl_module>
LoadModule ssl_module modules/mod_ssl.so
</IfModule>

Listen 443
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA$
SSLPassPhraseDialog  builtin
SSLSessionCache "shmcb:/opt/bitnami/apache2/logs/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/opt/bitnami/apache2/htdocs"
SSLEngine on
SSLCertificateFile "/opt/bitnami/apache2/conf/mydomain.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/mydomain.key"

<Directory "/opt/bitnami/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3 >
Require all granted
</IfVersion>
</Directory>

# Error Documents
ErrorDocument 503 /503.html

# Bitnami applications installed with a prefix URL (default)
Include "/opt/bitnami/apache2/conf/bitnami/bitnami-apps-prefix.conf"
</VirtualHost>

I tryed to simply update the httpd.conf and the httpd-ssl.conf, but nothing appens: TLS 1.3 does not work and TLS 1.0 and TLS 1.1 are always anabled.

Now, and I read even this question

Disabling TLS 1.0 in Apache 2.4

after my adds, this is my ssl directives in httpd-ssl.conf file:

# SSLProtocol all -SSLv3
SSLProtocol  +TLSv1.2 +TLSv1.3
#SSLProtocol all -TLSv1 -SSLv3
SSLProxyProtocol all +TLSv1.2 +TLSv1.3

But nothing changed and now I really do not know how to enable TLS 1.3 and disable TLS 1.0 and TLS 1.1. Of course after every change I used to restart Apache.

Catch29
  • 31
  • 1
  • 1
  • 5
  • After all yersterday I found another configuration file and now TLSv1.0 and TLSv1.1 are disabled. But it seems it is not possible to enable even the TLSv1.3: SSLProtocol: Illegal protocol 'TLSv1.3' is the msg I received! Someone can help me? – Catch29 Dec 20 '19 at 14:53
  • Verify your logs at startup and confirm which version you are running. `+TLSv3` did not exist before 2.4. Or if you have access to run it, do `apachectl -v`. – Nic3500 Dec 21 '19 at 03:47
  • apachectl -v returns "Server version: Apache/2.4.39 (Unix)" That's why I expected be able to enable TLSv1.3 – Catch29 Dec 21 '19 at 13:13
  • Furthermore error_log file reports this ssl:warn: this version of mod_ssl was compiled against a newer library (OpenSSL 1.0.2s 28 May 2019, version currently loaded is OpenSSL 1.0.2r 26 Feb 2019) - may result in undefined or erroneous behavior. – Catch29 Dec 21 '19 at 14:46

3 Answers3

3

I was also having this problem and put together the following solution:

  1. Open an instance of SSH from your Lightsail dashboard
  2. Navigate to: /opt/bitnami/apache2/conf/bitnami/
  3. Add the following line to the bitnami.conf file under where it says:

Listen 443
.#SSLProtocol -SSLv2 -SSLv3

SSLProtocol TLSv1.2

  1. Navigate to: /opt/bitnami/apache2/conf/extra
  2. In the httpd-ssl.conf file, add the hashtag to the following lines (without the . ):

.#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
.#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

Now remove the hastag from the following lines so they read as:

SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

  1. Now under #SSL Protocol Support, change the settings to look like this:

.#SSLProtocol all -SSLv3
SSLProtocol -TLSv1.2 -TLSv1.3 -SSLv3
.#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -TLSv1.2 -TLSv1.3 -SSLv3

Reboot apache with: sudo /opt/bitnami/ctlscript.sh restart apache

Check your site at both:
https://www.whynopadlock.com
https://www.ssllabs.com/ssltest

You should now receive and A score and no TLS 1.0 amd TLS 1.1 protocols being supported.

user12937135
  • 31
  • 3
1

Probably it is not yet possible to enable TLSv1.3. According to this bitnami's community thread:

[ https://community.bitnami.com/t/tlsv1-3-support-for-new-lamp-stack-installers/67672 ]

TLSv1.3 is only supported with Apache version 2.4.36 and OpenSSL 1.1.1...our stacks include OpenSSL 1.0.2 so it's not currently possible to enable that protocol. Sorry for the inco…

Waiting for updates...

Catch29
  • 31
  • 1
  • 1
  • 5
  • The wait did not last long; Bitnami just updated the stack, with Apache 2.4.41 along with OpenSSL 1.1.1d. TLSv1.3, fully enabled, alongside TLSv1.2. – Catch29 Dec 25 '19 at 22:55
0

If your site is behind Cloudflare or a similar service, then you will need to make the TLS changes on Cloudflare itself, regardless of whether you have set up the SSLProtocol correctly in bitnami.conf.

littleforest
  • 2,057
  • 21
  • 29