httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled
Date Thu, 09 Feb 2017 22:15:30 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 2/9/17 4:53 PM, Daniel wrote:
> Try manually:
> 
> SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

And, please, for the love of god, add these, too:

SSLHonorServerOrder On
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

This will cause "better" ciphers to be preferred over the lesser ones.
Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
RC4, etc.

A typical cipher string I might use looks like this:

SSLCipherSuite
!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
A384:AES128-GCM-SHA256:HIGH

- -chris

> 2017-02-09 17:30 GMT+01:00 Sven Crul <Sven.Crul@belmedis.be 
> <mailto:Sven.Crul@belmedis.be>>:
> 
> Hi,
> 
> 
> I switch to debian with apache 2.4.10 where I need sslv3 for 
> backwards compatibility with some OLD clients
> 
> I use openssl 1.0.1t (latest stable for debian)
> 
> 
> with the settings  "sslprotocol all" in  ssl.conf sslv3 is not
> offered
> 
> with the setting "sslprotocol sslv3" in ssl.conf it works but 
> unfortunately without tls (I need TLS also)
> 
> 
> I must be the only one who has this problem because can't find 
> anything about it anywhere, and I tried about anything there is
> 
> 
> sslprotocol all +sslv3 ... etc nothing works
> 
> 
> Anybody has an idea
> 
> 
> THX!!!!!
> 
> Sven
> 
> 
> 
> 
> 
> 
> -- *Daniel Ferradal* IT Specialist
> 
> email        dferradal at gmail.com <http://gmail.com> linkedin
> es.linkedin.com/in/danielferradal 
> <http://es.linkedin.com/in/danielferradal>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
43zsMR858V8ZOZThX0s7
=/YOD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message