httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ferradal <dferra...@apache.org>
Subject Re: [users@httpd] Questions to SSLciphersuite
Date Sat, 28 Nov 2020 16:56:11 GMT
supported ciphers and protocols depend on the openssl version you are
using, which, if my eyes do not deceive me, you haven't mentioned.

Perhaps you should check that first before changing cipher/protocol
parameters in httpd.

"openssl ciphers -v 'ALL'" should do, if the openssl version in your
path is the same your httpd is using and was compiled with.

El vie, 27 nov 2020 a las 16:35, Lentes, Bernd
(<bernd.lentes@helmholtz-muenchen.de>) escribió:
>
> Dear all,
>
> in 20 years administrating linux hosts i always avoided it successfully to change the
SSlCipherSuite, hoping the default from Suse or Ubuntu would be fine and secure.
> But now i'm in the situation that i have to touch it for the first time, and afraid of
opening a big door because of wrong configuration.
> I have an elder software (ServersAlive) which monitors our services.
> Among others it need to check two Ubuntu 20.04 hosts, one with Apache  2.4.41.
> The software does not check the https URL and complains in the log "SSL handshake failed".
> The webserver log says:
> [Fri Nov 27 16:00:05.526738 2020] [ssl:info] [pid 1330] [client 146.107.25.174:61102]
AH02008: SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443)
> [Fri Nov 27 16:00:05.526784 2020] [ssl:info] [pid 1330] SSL Library Error: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
>
> I think this is related to the SSL configuration of Apache and the fact that the software
is a bit outdated.
> I read http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite.
>
> SSLCipherSiute is currently:
>
> SSLCipherSuite HIGH:!aNULL
> That means that all ciphers using Triple-DES are allowed, without all ciphers using no
authentication. Right?
>
> SSLHonorCipherOrder off
> OK ?
>
> SSLProtocol all -SSLv3
> That means all protocols are allowed but not SSLv3. Right ?
>
> I canged it to SSLProtocol all +SSLv3 +TLSv1, but then apache refused to restart, complaining
SSLv3 is not supported by OpenSSL.
> I changed it to SSLProtocol all +TLSv1, but my software still says the host is down,
resulting in the apache log:
> [Fri Nov 27 16:28:15.143448 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953]
AH02008: SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443)
> [Fri Nov 27 16:28:15.143500 2020] [ssl:info] [pid 2703] SSL Library Error: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
> [Fri Nov 27 16:28:15.143524 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953]
AH01998: Connection closed to child 3 with abortive shutdown (server nc-mcd.helmholtz-muenchen.de:443)
>
> What can i do ?
>
> Bernd
>
>
>
>
>
>
>
> --
>
> Bernd Lentes
> Head of Systemadministration
> Institute for Metabolism and Cell Death (MCD)
> Building 25 - office 122
> HelmholtzZentrum München
> bernd.lentes@helmholtz-muenchen.de
> phone: +49 89 3187 1241
> phone: +49 89 3187 3827
> fax: +49 89 3187 2294
> http://www.helmholtz-muenchen.de/mcd
> Helmholtz Zentrum München
>
> Helmholtz Zentrum Muenchen
> Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH)
> Ingolstaedter Landstr. 1
> 85764 Neuherberg
> www.helmholtz-muenchen.de
> Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling
> Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther
> Registergericht: Amtsgericht Muenchen HRB 6466
> USt-IdNr: DE 129521671
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Freenode

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message