Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: VS17 build :: rejects TLSv1.0 and TLSv1.1 ? |
|
| Author |
|
Mg
Joined: 04 Jun 2014
Posts: 4
|
 Posted: Thu 17 Nov '22 15:09 Post subject: |
 |
|
Is it possible to enable TLSv1 and TLSv1.1 with this build?
I tried:
SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
But the apache server rejects any TLS 1.0 and TLS 1.1 ciphers.
If yes: how?
If not: which component prohibits it? mod_ssl? openssl3.0.7?
(I know, I shouldn't, but a few clients with legacy apps require it)
If it's not possible, I will have to stop using apache lounge builds from now on  |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Fri 18 Nov '22 21:13 Post subject: |
|
|
The security world continues to move on, and TLSv1.0 / TLSv1.1 are both out of favour and considered end of life for several years now.
So presume your Apache log contains messages of this form:-
| Code: |
[Fri Nov 18 14:23:48.117249 2022] [ssl:info] [pid 12104:tid 1904] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm
[Fri Nov 18 14:27:36.481373 2022] [ssl:info] [pid 12104:tid 1904] SSL Library Error: error:0A000102:SSL routines::unsupported protocol
|
This TLS restriction is basically down to the OpenSSL support library, so you can't really blame the Apache Lounge for this, when they're simply tracking the latest security fixes and code features in their builds. Equally, most browsers no longer support TLSv1.0 / TLSv1.1, so doesn't that impact your client connections too, or do you have some legacy application making these connections?
Either way, if you really need to support these protocols for certain legacy clients, then I'd suggest moving that service to it's own separate platform using an earlier release of Apache / OpenSSL, and would assume your security people would fully support (let alone mandate) such a move.
If you had to, you could equally build your own release of code using the following Apache Lounge HOWTO, https://www.apachelounge.com/viewtopic.php?t=8609, where you could specify your own version and build options for OpenSSL.
TLS 1.0, and TLS 1.1 only work at security level 0, not the current OpenSSL default of security level 1, so you could pass -DOPENSSL_TLS_SECURITY_LEVEL=0 to the OpenSSL build process, to force it to provide legacy TLS support. I can confirm this works with release 3.0.7 coupled to Apache 2.4.54 |
|
| Back to top |
|
Mg
Joined: 04 Jun 2014
Posts: 4
|
| Posted: Thu 15 Dec '22 12:29 Post subject: Workaround found |
|
|
I found a workaround:
patch openssl.cnf in apache/conf directory:
| Code: |
[openssl_init]
...
ssl_conf = ssl_sect
...
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0
|
|
|
| Back to top |
|
|
|
|
|
|
