httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aparna Puram <aparnapu...@gmail.com>
Subject Re: [users@httpd] TLS 1.2 handshake problem?
Date Tue, 12 Jun 2012 18:36:31 GMT
Hi,

Sometimes from the huge list of supported cipher suites, It will be hard
for us to select the exact cipher.

If you are working on solaris, You can use the following command to check
the exact cipher and protocol being used by the client.

/opt/csw/bin/openssl s_client -connect clinethostname:443 -debug

Following output will be displayed.

SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA

Then you can add this protocol and cipher to your sslciphersuite. It will
enable the connection betwwen your webserver and the client.


On Tue, Jun 12, 2012 at 11:57 PM, Garrison, Jim (ETW) <Jim.Garrison@nike.com
> wrote:

> I am trying unsuccessfully to get Subversion to connect over HTTPS to an
> Apache server that is configured with
>
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
>
> The behavior I'm seeing is that the client sends the initial CLIENT HELLO,
> and Apache does not respond:
>
>    Client                Server
>        -------syn---------->
>        <------ack-----------
>        ---CLIENT HELLO----->
>        <------ack-----------
>          [60 second pause]
>        <------rst-----------
>
> The CLIENT HELLO is TLSv1.0, containing TLSv1.2 handshake protocol.  Is
> this not supported by Apache?
>
> The CLIENT HELLO as decoded by Wireshark is:
>
> Secure Sockets Layer
>    SSL Record Layer: Handshake Protocol: Client Hello
>        Content Type: Handshake (22)
>        Version: TLS 1.0 (0x0301)
>        Length: 337
>        Handshake Protocol: Client Hello
>            Handshake Type: Client Hello (1)
>            Length: 333
>            Version: TLS 1.2 (0x0303)
>            Random
>                gmt_unix_time: Jun 12, 2012 11:11:31.000000000 Pacific
> Daylight Time
>                random_bytes:
> aec93d5fa312325bec744389f47e96cc8b4580adc8d2488f...
>            Session ID Length: 0
>            Cipher Suites Length: 158
>            Cipher Suites (79 suites)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02c)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc024)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
>                Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA (0xc022)
>                Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA (0xc021)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
>                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
>                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> (0xc02e)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> (0xc026)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
>                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
>                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
>                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
>                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
>                Cipher Suite: TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA (0xc01c)
>                Cipher Suite: TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA (0xc01b)
>                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
>                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
>                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
>                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02b)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc023)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
>                Cipher Suite: TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA (0xc01f)
>                Cipher Suite: TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA (0xc01e)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
>                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
>                Cipher Suite: TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x009a)
>                Cipher Suite: TLS_DHE_DSS_WITH_SEED_CBC_SHA (0x0099)
>                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
>                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> (0xc02d)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> (0xc025)
>                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
>                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
>                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
>                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
>                Cipher Suite: TLS_RSA_WITH_SEED_CBC_SHA (0x0096)
>                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
>                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
>                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
>                Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
>                Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
>                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
>                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
>                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
>                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
>                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
>                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
>                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
>                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
>                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
>                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
>                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
>            Compression Methods Length: 2
>            Compression Methods (2 methods)
>                Compression Method: DEFLATE (1)
>                Compression Method: null (0)
>            Extensions Length: 133
>            Extension: server_name
>                Type: server_name (0x0000)
>                Length: 18
>                Data (18 bytes)
>            Extension: ec_point_formats
>                Type: ec_point_formats (0x000b)
>                Length: 4
>                EC point formats Length: 3
>                Elliptic curves point formats (3)
>                    EC point format: uncompressed (0)
>                    EC point format: ansiX962_compressed_prime (1)
>                    EC point format: ansiX962_compressed_char2 (2)
>            Extension: elliptic_curves
>                Type: elliptic_curves (0x000a)
>                Length: 52
>                Elliptic Curves Length: 50
>                Elliptic curves (25 curves)
>                    Elliptic curve: sect571r1 (0x000e)
>                    Elliptic curve: sect571k1 (0x000d)
>                    Elliptic curve: secp521r1 (0x0019)
>                    Elliptic curve: sect409k1 (0x000b)
>                    Elliptic curve: sect409r1 (0x000c)
>                    Elliptic curve: secp384r1 (0x0018)
>                    Elliptic curve: sect283k1 (0x0009)
>                    Elliptic curve: sect283r1 (0x000a)
>                    Elliptic curve: secp256k1 (0x0016)
>                    Elliptic curve: secp256r1 (0x0017)
>                    Elliptic curve: sect239k1 (0x0008)
>                    Elliptic curve: sect233k1 (0x0006)
>                    Elliptic curve: sect233r1 (0x0007)
>                    Elliptic curve: secp224k1 (0x0014)
>                    Elliptic curve: secp224r1 (0x0015)
>                    Elliptic curve: sect193r1 (0x0004)
>                    Elliptic curve: sect193r2 (0x0005)
>                    Elliptic curve: secp192k1 (0x0012)
>                    Elliptic curve: secp192r1 (0x0013)
>                    Elliptic curve: sect163k1 (0x0001)
>                    Elliptic curve: sect163r1 (0x0002)
>                    Elliptic curve: sect163r2 (0x0003)
>                    Elliptic curve: secp160k1 (0x000f)
>                    Elliptic curve: secp160r1 (0x0010)
>                    Elliptic curve: secp160r2 (0x0011)
>            Extension: SessionTicket TLS
>                Type: SessionTicket TLS (0x0023)
>                Length: 0
>                Data (0 bytes)
>            Extension: signature_algorithms
>                Type: signature_algorithms (0x000d)
>                Length: 34
>                Data (34 bytes)
>            Extension: Unknown 15
>                Type: Unknown (0x000f)
>                Length: 1
>                Data (1 byte)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message