| Author |
|
Vincent
Joined: 19 Jul 2016
Posts: 5
Location: Germany
|
 Posted: Wed 20 Jul '16 12:18 Post subject: TLS 1.1 TLS 1.2 errors |
 |
|
Hi All
So we use Apache Lounge on some of our Windows Servers.
Recently we updated as follows:
So as of July 2016 using :
Server version: Apache/2.4.20 (Win64)
Server built: Apr 5 2016 13:15:28
OpenSSL 1.0.2h 3 May 2016
We also configured Apache to only allow TLS 1.1 and 1.2
However - we found that the server is actually still allowing TLS1.0 and not supporting TLS 1.1 and 1.2.
We also run Apache on Centos and here we have:
OpenSSL 1.0.1e-fips 11 Feb 2013
Server version: Apache/2.4.6 (CentOS)
Server built: May 12 2016 10:27:23
Here TLS 1.1 and 1.2 work fine and TLS 1.0 is blocked.
The configuration on both is the same, namely:
# Settings 19 July 2016
SSLEngine on
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SSLProtocol +TLSv1.2 +TLSv1.1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"
#
I am wondering if there is a bug somewhere in the Apache Lounge Build since the exact same settings work on the Centos Apache? |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 20 Jul '16 17:36 Post subject: |
|
|
No, nothing wrong with the Windows Apache, CentOS might have modified their copy to stop TLSv1 but it's not like that in the code released by ASF.
Try
SSLProtocol -all +TLSv1.2 +TLSv1.1 |
|
| Back to top |
|
Jan-E
Joined: 09 Mar 2012
Posts: 1283
Location: Amsterdam, NL, EU
|
| Posted: Wed 20 Jul '16 18:12 Post subject: |
|
|
| Is there a 'SSLFIPS on' in the Centos HTTPD config? BTW: Centos 6 or 7? |
|
| Back to top |
|
Vincent
Joined: 19 Jul 2016
Posts: 5
Location: Germany
|
| Posted: Wed 20 Jul '16 20:58 Post subject: |
|
|
| glsmith wrote: | No, nothing wrong with the Windows Apache, CentOS might have modified their copy to stop TLSv1 but it's not like that in the code released by ASF.
Try
SSLProtocol -all +TLSv1.2 +TLSv1.1 |
Yes tried the '-all' and also '-TLSv1'. I just cannot see any reason why 1.0 works and 1.1 and 1.2 fails.
I know that SSLCipherSuite can actually override the SSLProtocol, but even here, tried various combinations with same result.
The website/s where this is happening can be reached externally, though I would hesitate to post them directly here. |
|
| Back to top |
|
Vincent
Joined: 19 Jul 2016
Posts: 5
Location: Germany
|
| Posted: Wed 20 Jul '16 21:59 Post subject: |
|
|
| Jan-E wrote: | | Is there a 'SSLFIPS on' in the Centos HTTPD config? BTW: Centos 6 or 7? |
So this is:
CentOS Linux release 7.2.1511 (Core)
I did a quick search in httpd and also ssl.conf and did not find 'SSLFIPS on'. |
|
| Back to top |
|
Vincent
Joined: 19 Jul 2016
Posts: 5
Location: Germany
|
| Posted: Wed 27 Jul '16 11:04 Post subject: TLS 1.0, 1.1 and 1.2 |
|
|
| Any takers on this issue? No progress made on problem. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7443
Location: EU, Germany, Next to Hamburg
|
| Posted: Mon 01 Aug '16 15:55 Post subject: |
|
|
| I'm a bit confused. is your issue on the windows server or on the CentOS Server? |
|
| Back to top |
|
Vincent
Joined: 19 Jul 2016
Posts: 5
Location: Germany
|
| Posted: Wed 03 Aug '16 10:31 Post subject: Apache TLS |
|
|
| The problem is on Windows using the ApacheLounge Build. Centos was mentioned only for comparision - and also coz the config is identical. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7443
Location: EU, Germany, Next to Hamburg
|
| Posted: Wed 10 Aug '16 11:45 Post subject: |
|
|
I suggest that you download a fresh apache run it on a different port or on a test computer. Just to make sure that it uses the latest OpenSSL Version that AL offers.
| Code: |
SSLUseStapling Off
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
|
|
|
| Back to top |
|
