httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sven Crul <Sven.C...@belmedis.be>
Subject Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled
Date Fri, 10 Feb 2017 09:09:33 GMT


at this moment i have this

But i had everything :-p



       #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See
the
        #   ciphers(1) man page from the openssl package for list of all
available
        #   options.
        #   Enable only secure ciphers:
        #SSLCipherSuite HIGH:MEDIUM:ALL:!aNULL
        SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable
this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that
puts
        # insecure ciphers first.
        # Default: Off
        SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported
        #SSLProtocol -all +TLSv1 +SSLv3
        SSLProtocol SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2





From:	Daniel <dferradal@gmail.com>
To:	"<users@httpd.apache.org>" <users@httpd.apache.org>
Date:	10/02/2017 10:00
Subject:	Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
            enabled



do you change SSLCipherSuite?, show us which one you have

2017-02-10 9:29 GMT+01:00 Sven Crul <Sven.Crul@belmedis.be>:


      Hi,


      First off all Thanks , like already said I tried about
      everything :-( nevertheless i tried all of them again  ... without
      success.

      I cannot get the server to offer SSLV3  when TLS is enabled (Any
      TLS ) when I do ssl protocol SSLv3 then sslv3 works but from the
      moment I add TLS , SSLv3 no longer works


      Sven






      Mitchell Krog Photography ---10/02/2017 08:26:09---Your SSL config
      for Apache 2.4.10 should be as follows <VirtualHost *:443>
      Mitchell Krog Photography ---10/02/2017 08:26:09---Your SSL config
      for Apache 2.4.10 should be as follows <VirtualHost *:443>

      From: Mitchell Krog Photography <mitchellkrog@gmail.com>
      To: Christopher Schultz <chris@christopherschultz.net>,
      users@httpd.apache.org
      Date: 10/02/2017 08:26
      Subject: Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls
      is enabled




      Your SSL config for Apache 2.4.10 should be as follows

      <VirtualHost *:443>
         ...
         SSLEngine on
         SSLCertificateFile
      /path/to/signed_certificate_followed_by_intermediate_certs
         SSLCertificateKeyFile   /path/to/private/key

         # Uncomment the following directive when using client certificate
      authentication
         #SSLCACertificateFile
      /path/to/ca_certs_for_client_authentication


         # HSTS (mod_headers is required) (15768000 seconds = 6 months)
         Header always set Strict-Transport-Security "max-age=15768000"
         ...
      </VirtualHost>

      # intermediate configuration, tweak to your needs
      SSLProtocol             all -SSLv3
      SSLCipherSuite
      ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

      SSLHonorCipherOrder     on
      SSLCompression          off


      # OCSP Stapling, only in httpd 2.3.3 and later
      SSLUseStapling          on
      SSLStaplingResponderTimeout 5
      SSLStaplingReturnResponderErrors off
      SSLStaplingCache        shmcb:/var/run/ocsp(128000)


      Always check with >
      https://mozilla.github.io/server-side-tls/ssl-config-generator/



      From: Christopher Schultz <chris@christopherschultz.net>
      Reply: users@httpd.apache.org <users@httpd.apache.org>
      Date: 10 February 2017 at 12:15:30 AM
      To: users@httpd.apache.org <users@httpd.apache.org>
      Subject:  Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls
      is enabled
            -----BEGIN PGP SIGNED MESSAGE-----
            Hash: SHA256

            Daniel,

            On 2/9/17 4:53 PM, Daniel wrote:
            > Try manually:
            >
            > SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

            And, please, for the love of god, add these, too:

            SSLHonorServerOrder On
            SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

            This will cause "better" ciphers to be preferred over the
            lesser ones.
            Don't forget to eliminate the insecure ones like EXPORT, MD5,
            DES,
            RC4, etc.

            A typical cipher string I might use looks like this:

            SSLCipherSuite
            !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH

            A384:AES128-GCM-SHA256:HIGH

            - -chris

            > 2017-02-09 17:30 GMT+01:00 Sven Crul <Sven.Crul@belmedis.be
            > <mailto:Sven.Crul@belmedis.be>>:
            >
            > Hi,
            >
            >
            > I switch to debian with apache 2.4.10 where I need sslv3 for
            > backwards compatibility with some OLD clients
            >
            > I use openssl 1.0.1t (latest stable for debian)
            >
            >
            > with the settings "sslprotocol all" in ssl.conf sslv3 is not
            > offered
            >
            > with the setting "sslprotocol sslv3" in ssl.conf it works but

            > unfortunately without tls (I need TLS also)
            >
            >
            > I must be the only one who has this problem because can't
            find
            > anything about it anywhere, and I tried about anything there
            is
            >
            >
            > sslprotocol all +sslv3 ... etc nothing works
            >
            >
            > Anybody has an idea
            >
            >
            > THX!!!!!
            >
            > Sven
            >
            >
            >
            >
            >
            >
            > -- *Daniel Ferradal* IT Specialist
            >
            > email dferradal at gmail.com <http://gmail.com> linkedin
            > es.linkedin.com/in/danielferradal
            > <http://es.linkedin.com/in/danielferradal>
            -----BEGIN PGP SIGNATURE-----
            Comment: GPGTools - http://gpgtools.org
            Comment: Using GnuPG with Thunderbird -
            http://www.enigmail.net/

            iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT
            +lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
            LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr
            +lwI41UXJ
            gEjJDUyQYN5/1YMwlc
            +w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
            NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63

            2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5
            +A2Q
            wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK

            GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm
            +0BboSP80MZ0YPiIKcniZF
            lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn
            +7xExHW
            Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED

            g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm
            +ui1X5gD19p9rpyCfcn
            ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE
            +KRdoVnICm18i3vO4CXzZLUC3moPRR
            43zsMR858V8ZOZThX0s7
            =/YOD
            -----END PGP SIGNATURE-----

            ---------------------------------------------------------------------

            To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
            For additional commands, e-mail: users-help@httpd.apache.org






--
Daniel Ferradal
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message