Topic: Legacy windows os fails to communicate with openssl 1.1.1c

[Jayaprakash S]

We are using Apache 2.4.41 compiled with the OpenSSL 1.0.2s. On hosting a server with Apache 2.4.41 (openssl 1.0.2s), we were able to access it using https from Windows XP as well as 2003 server machines (IE6).

As openssl is stopping support for 1.0.2 by the end of this year, we're forced to migrate to OpenSSL 1.1.1 series.

But, hosting an Apache(2.4.41) server with OpenSSL version 1.1.1c breaks the https communication from Windows XP and 2003 server machines(IE6).

On analyzing the issue further with Wireshark, there was a SSL handshake error (code 40). This happens because, "server hello" fails in cipher negotiation i.e. the server (openssl) doesn't supports the cipher list supported by windows xp/2003 server machines (client).

Would like to know whether there is a build available for Apache version 2.4.41 with OpenSSL 1.1.1c with enable-weak-ssl-ciphers,enable-rc4,enable-deprecated flags or not.

Thanks in advance!

[Steffen]

Depends on the defined SSLCipherSuite in your config.


To configure, see https://www.apachelounge.com/viewtopic.php?t=8307

The intermediate could be used for XP access, otherwise the old. Not sure about IE6.

[glsmith]

This doesn't work?

SSLProtocol -all +TLSv1
SSLCipherSuite HIGH:MEDIUM:LOW:!MD5:!RC4:!3DES

if that works, try adding a ! to LOW (!LOW)
if it still works, add a ! to MEDIUM (!MEDIUM)

I like most of the world moved on from XP so I cannot test myself. I hated it but security is better that rolling the dice in my opinion

[Jayaprakash S]

We tried even with LOW graded ciphers. It doesn't work.
We have also tried with the SSLv3 enabled No effect.
The TLS 1.0 weaker ciphers are disabled by default in OpenSSL 1.1.1 series.

[James Blond]

Go with such an old browser to https://www.ssllabs.com/ssltest/viewMyClient.html and see which ciphers is supports.