httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lentes, Bernd" <bernd.len...@helmholtz-muenchen.de>
Subject [users@httpd] Questions to SSLciphersuite
Date Fri, 27 Nov 2020 15:34:38 GMT
Dear all,

in 20 years administrating linux hosts i always avoided it successfully to change the SSlCipherSuite,
hoping the default from Suse or Ubuntu would be fine and secure.
But now i'm in the situation that i have to touch it for the first time, and afraid of opening
a big door because of wrong configuration.
I have an elder software (ServersAlive) which monitors our services.
Among others it need to check two Ubuntu 20.04 hosts, one with Apache  2.4.41.
The software does not check the https URL and complains in the log "SSL handshake failed".
The webserver log says:
[Fri Nov 27 16:00:05.526738 2020] [ssl:info] [pid 1330] [client 146.107.25.174:61102] AH02008:
SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443)
[Fri Nov 27 16:00:05.526784 2020] [ssl:info] [pid 1330] SSL Library Error: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol

I think this is related to the SSL configuration of Apache and the fact that the software
is a bit outdated.
I read http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite.

SSLCipherSiute is currently:

SSLCipherSuite HIGH:!aNULL
That means that all ciphers using Triple-DES are allowed, without all ciphers using no authentication.
Right?

SSLHonorCipherOrder off
OK ?

SSLProtocol all -SSLv3
That means all protocols are allowed but not SSLv3. Right ?

I canged it to SSLProtocol all +SSLv3 +TLSv1, but then apache refused to restart, complaining
SSLv3 is not supported by OpenSSL.
I changed it to SSLProtocol all +TLSv1, but my software still says the host is down, resulting
in the apache log:
[Fri Nov 27 16:28:15.143448 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953] AH02008:
SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443)
[Fri Nov 27 16:28:15.143500 2020] [ssl:info] [pid 2703] SSL Library Error: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
[Fri Nov 27 16:28:15.143524 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953] AH01998:
Connection closed to child 3 with abortive shutdown (server nc-mcd.helmholtz-muenchen.de:443)

What can i do ?

Bernd







-- 

Bernd Lentes 
Head of Systemadministration 
Institute for Metabolism and Cell Death (MCD) 
Building 25 - office 122 
HelmholtzZentrum München 
bernd.lentes@helmholtz-muenchen.de 
phone: +49 89 3187 1241 
phone: +49 89 3187 3827 
fax: +49 89 3187 2294 
http://www.helmholtz-muenchen.de/mcd
Helmholtz Zentrum München

Helmholtz Zentrum Muenchen
Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
Ingolstaedter Landstr. 1
85764 Neuherberg
www.helmholtz-muenchen.de
Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling
Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther
Registergericht: Amtsgericht Muenchen HRB 6466
USt-IdNr: DE 129521671


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message