Current Version - 12.0.76.4 (I know its old, an upgrade to 13 is planned!)
Looks like a recent, over the weekend, update to Firefox is now blocking access to my PBX via HTTPS, Windows and MAC’s… The error code returned is “Error code: SSL_ERROR_NO_CYPHER_OVERLAP” and my Google searches have not provided much on a fix other than to possibly remove some old ciphers from the Apache server.
Question: Which file should we edit to manually update SSL/TLS Ciphers in this version of FreePBX?
Here is what I get returned with an openssl query -
Server Temp Key: DH, 1024 bits
SSL handshake has read 2484 bytes and written 483 bytes
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES128-GCM-SHA256
NAMP scan shows this -
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 1024) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
And finally the /etc/httpd/conf.d/ssl.conf files contains this -
SYSADMIN - File auto-generated by Sysadmin
Any changes you make to this file will be overwritten.
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ServerName something.something.something:443
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
This is taken from https://cipherli.st, March 2015. We explicitly don’t support
older browser versions, so we explicitly don’t cater to their https requirements.
SSLCipherSuite AES128+EECDH:AES128+EDH
SSLCertificateFile /etc/httpd/pki/webserver.crt
SSLCertificateKeyFile /etc/httpd/pki/webserver.key
SSLCACertificateFile /etc/httpd/pki/selfsignedca.crt
SetEnvIf User-Agent ‘.MSIE.’ nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
Thanks in advance for assisting an SSL/TLS noob!