httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chunduru, Krishnachaithanya" <Krishnachaithanya.Chund...@broadridge.com>
Subject RE: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?
Date Fri, 05 May 2017 12:36:53 GMT
Hi Luca,

Can you please let me know what details do you require for the below.

I’m using the below syntax to block the SSLv2 and V3.

SSLProtocol all -SSLv2 -SSLv3 and below is the log for it after starting the apache. Please
let me know if this information is sufficient to proceed further.

[Fri May 05 08:23:25.650618 2017] [ssl:warn] [pid 4128986:tid 1] AH01906: XXXXX:443:0 server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 05 08:23:25.650629 2017] [ssl:warn] [pid 4128986:tid 1] AH01909: XXXXX:443:0 server
certificate does NOT include an ID which matches the server name
[Fri May 05 08:23:25.674714 2017] [auth_digest:notice] [pid 12452008:tid 1] AH01757: generating
secret for digest authentication ...
[Fri May 05 08:23:25.677590 2017] [ssl:warn] [pid 12452008:tid 1] AH01906: XXXXX443:0 server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 05 08:23:25.677614 2017] [ssl:warn] [pid 12452008:tid 1] AH01909: XXXXX443:0 server
certificate does NOT include an ID which matches the server name
[Fri May 05 08:23:25.677829 2017] [ssl:warn] [pid 12452008:tid 1] AH01906: XXXXX:443:0 server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 05 08:23:25.677840 2017] [ssl:warn] [pid 12452008:tid 1] AH01909: XXXXX:443:0 server
certificate does NOT include an ID which matches the server name
[Fri May 05 08:23:25.677937 2017] [lbmethod_heartbeat:notice] [pid 12452008:tid 1] AH02282:
No slotmem from mod_heartmonitor
[Fri May 05 08:23:25.738129 2017] [mpm_worker:notice] [pid 12452008:tid 1] AH00292: Apache/2.4.10
(Unix) OpenSSL/0.9.8y configured -- resuming normal operations
[Fri May 05 08:23:25.738216 2017] [core:notice] [pid 12452008:tid 1] AH00094: Command line:
'/opt/httpd/sbin/httpd'

Then I tried to block the TLSv1 using the below syntax and tried to refresh the apache.

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

While stopping it stopped without a problem, but when starting it gave “Starting Apache
2.4...” but it didn’t started.

-bash-4.2# ./httpd stop
Stopping Apache...
-bash-4.2# ./httpd start
Starting Apache 2.4...
httpd (pid 12452008) already running
-bash-4.2# ./httpd start
Starting Apache 2.4...
-bash-4.2# ps -ef | grep -i http
-bash-4.2#

And in the error_log, I could see the below errors.

[Fri May 05 08:31:00.620940 2017] [mpm_worker:notice] [pid 12452008:tid 1] AH00295: caught
SIGTERM, shutting down
[Fri May 05 08:31:01.164809 2017] [ssl:warn] [pid 11731186:tid 1] AH01906: XXXXX:443:0 server
certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri May 05 08:31:01.164851 2017] [ssl:warn] [pid 11731186:tid 1] AH01909: XXXXX:443:0 server
certificate does NOT include an ID which matches the server name
[Fri May 05 08:31:01.164912 2017] [ssl:emerg] [pid 11731186:tid 1] AH02231: No SSL protocols
available [hint: SSLProtocol]
[Fri May 05 08:31:01.164918 2017] [ssl:emerg] [pid 11731186:tid 1] AH02312: Fatal error initialising
mod_ssl, exiting.
AH00016: Configuration Failed

Regards,
Krishna

From: Luca Toscano [mailto:toscano.luca@gmail.com]
Sent: Tuesday, May 02, 2017 2:53 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

Hi,

I'd suggest to reach out to the IRC #httpd channel on Freenode, a lot of people in there can
help you quickly than a users@ email thread, especially due to the fact that your issue will
require a lot of details not yet provided.

Luca

2017-05-01 15:20 GMT+02:00 Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@broadridge.com<mailto:Krishnachaithanya.Chunduru@broadridge.com>>:
Hi,

Thanks for the info.

I have already tried this, but was getting fatal mod_ssl error while enabling TLSv1.1 or 1.2.

Regards,
Krishna

From: K R [mailto:kp0773@gmail.com<mailto:kp0773@gmail.com>]
Sent: Saturday, April 29, 2017 9:28 AM

To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache

On Wed, Apr 19, 2017 at 7:37 AM, Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@broadridge.com<mailto:Krishnachaithanya.Chunduru@broadridge.com>>
wrote:
Hi Eric/All,

Can you please help me with the below.

Regards,
Krishna

-----Original Message-----
From: Chunduru, Krishnachaithanya [mailto:Krishnachaithanya.Chunduru@broadridge.com<mailto:Krishnachaithanya.Chunduru@broadridge.com>]
Sent: Monday, April 17, 2017 6:34 PM
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: RE: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

Hi Eric,

We used the openssl version is 1.0.1.515 while installing the Apache 2.4.10.

Regards,
Krishna

-----Original Message-----
From: Eric Covener [mailto:covener@gmail.com<mailto:covener@gmail.com>]
Sent: Monday, April 17, 2017 6:18 PM
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

On Mon, Apr 17, 2017 at 6:59 AM, Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@broadridge.com<mailto:Krishnachaithanya.Chunduru@broadridge.com>>
wrote:
> Is TLS v1.1 and v1.2 not supported in Apache 2.4.10 running with
> Openssl
> 1.0.2.1000 ? your suggestions are highly appreciated as this is
> pending in my account from long time.

It probably depends what openssl  build your httpd was built against, not just what's loaded
at runtime.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-unsubscribe@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<mailto:users-help@httpd.apache.org>


This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.

This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<mailto:users-unsubscribe@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<mailto:users-help@httpd.apache.org>


This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.


This message and any attachments are intended only for the use of the addressee and may contain
information that is privileged and confidential. If the reader of the message is not the intended
recipient or an authorized representative of the intended recipient, you are hereby notified
that any dissemination of this communication is strictly prohibited. If you have received
this communication in error, please notify us immediately by e-mail and delete the message
and any attachments from your system.
Mime
View raw message