Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Apache 2.2.31 - disable SSLv3 in SSLProxyProtocol? |
|
| Author |
|
almalino
Joined: 30 Dec 2016
Posts: 1
Location: Salo
|
 Posted: Fri 30 Dec '16 13:10 Post subject: Apache 2.2.31 - disable SSLv3 in SSLProxyProtocol? |
 |
|
Hi Apache experts  I use Apache/2.2.31
I have following global SSL configuration outside of several virtual hosts sections:
| Code: | SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA25$
SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3 |
and then I have one of the virtual host with following proxy RewriteRule [P]:
| Code: | RewriteEngine On
SSLProxyEngine On
RewriteCond %{QUERY_STRING} !(^|&)requestOrigin=apiGateway($|&) [NC]
RewriteRule ^/portal/mobile/stores$ https://xxx.execute-api.eu-west-1.amazonaws.com/test/stores [QSA,P,L] |
As you can see I have rewrite rule that proxy original request to Amazon API gateway. Amazon API gateway does not support SSLv3 that is why I disabled it in above configurations. I want TLSv1.2 to be used for proxying.
However, Apache continue using SSLv3 while proxying rewrite rule above. But I disabled SSLv3 as proxy protocol. See debug output below. Any ideas what I am doing wrong? Can it be Apache has some bug that does not allow me to disable proxy protocols?
| Code: | [debug] ssl_engine_io.c(1090): [client XXX.XXX.XXX.XXX] SNI extension for SSL Proxy request set to 'example.com'
[debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/connect initialization
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write client hello A
[debug] ssl_engine_io.c(1939): OpenSSL: read 5/5 bytes from BIO#10c87d0 [mem: 10cttb3] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 16 02 02 00 02 ..... |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1939): OpenSSL: read 2/2 bytes from BIO#10c87d0 [mem: 10c44b8] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 02 38 .( |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_kernel.c(1847): OpenSSL: Read: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1866): OpenSSL: Exit: failed in SSLv3 read server hello A
[info] [client XXX.XXX.XXX.XXX] SSL Proxy connect failed |
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Thu 26 Jan '17 16:01 Post subject: |
|
|
Are you sure the AWS can do TLS1.2? You may check https://www.ssllabs.com/ssltest/
Which OpenSSL version does your 2.2.31 server use? |
|
| Back to top |
|
jclin829
Joined: 10 Feb 2017
Posts: 1
|
| Posted: Fri 10 Feb '17 0:30 Post subject: Apache - disable SSLv3 in SSLProxyProtocol? |
|
|
| Have any one found solution for disabling SSLv3 in SSLProxy in Apache when performing reverse proxy to Amazon API Gateway? |
|
| Back to top |
|
|
|
|
|
|
