i am trying an simple thing but can get it done.
I would like to disable TLSv1 support on my snap based install on a Ubuntu server.
Can’t find an ssl.conf that is writeble to make change.
Would like to add an line
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Should be so simple, wasted a few hours to get it done.
HELP!
usually, the ubuntu/debian structure is the same:
usually, the ssl.conf is located /etc/apache2/sites-enabled
My installation get 2 files:
000-default.conf and 000-default-le-ssl.conf
vim or nano 000-default-le-ssl.conf
I am using letsencrypt certificate. Here an working exemple:
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# HTTP2 protocol enabled
Protocols h2 http/1.1
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# letsencrypt chain
SSLCertificateFile /etc/letsencrypt/live/REDACTED/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/REDACTED/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# OFC
ServerName YOURSERVERNAMEHERE
# Guarantee HTTPS for 6 Month including Sub Domains
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</VirtualHost>
# SSL CONF Paranoiac
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
# new ssl no compression method
# no compression due to testing 1.1.1pre8
# SSLCompression on
SSLSessionTickets off
SSLOptions +StrictRequire
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
# EOF
chke
December 1, 2018, 10:41am
3
This is not the case with a snap install. There is no /etc/apache2
.
The ssl.conf
is located at /snap/nextcloud/9868/conf/ssl.conf
and it is not writable.
The whole directory is mounted read-only.
/var/lib/snapd/snaps/nextcloud_9868.snap on /snap/nextcloud/9868 type squashfs (ro,nodev,relatime,x-gdu.hide)
https://github.com/nextcloud/nextcloud-snap/wiki/How-to-modify-your-SSL-configuration talks about a custom.conf
at /var/snap/nextcloud/current/apache/conf/custom.conf
which also does not exist.
After reading https://github.com/nextcloud/nextcloud-snap/issues/616 snaps seem to be read-only by design.
https://github.com/nextcloud/nextcloud-snap/pull/619/files seems to fix this by providing
sudo snap set nextcloud apache.oldtls=false
but it doesn’t seem to be merged yet.