Drop TLSv1.0 and TLSv1.1 in DirectAdmin

Version 1.56

Feature
Finished

DirectAdmin will now fully drop older TLS methods from connecting to port 2222. For older binaries that don't support TLS 1.2, it will revert to the highest possible server method, with priority top-down being: TLSv1_2_server_method() TLS_server_method() SSLv23_server_method() where SSLv23_server_method does not imply SSLv2 or SSLv3, but is there from the older openssl libraries to be used for all possible methods (name is misleading) There are not currently any directadmin.conf options to downgrade your server_method, but if you do need it, let us know and we can look at adding them. You really should be upgrading your client if it doesn't support TLS 1.2 :) ============ WORKAROUND - Insecure If you *really* need to connect to a DA box, but the client does not support TLS 1.2, then the current workaround is to set that DA box to run on both https:2222 and http:2223 at the same time, where 2222 is still https/secure, but 2223 is not. (swap 2223 with some high random port number, and set your firewall to only allow the client IP to connect to it) The DA settings for https on 2222, and http on 2223 would be: SSL=0 port=2223 ssl_port=2222 where 2223 uses SSL=0, but the secondary setting ssl_port=2222 runs a 2nd fork of the master for SSL/TLS 1.2 connections, as before. If the client is another (older) DA box, then the connection should be using a Login Key, restricting both the IP, functions, as well as the firewall. It's not perfectly secure, but neither is using TLS 1.0/1.1.

Interested to try DirectAdmin? Get a 30-day Free Trial!