Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: How to disable TLS 1.1 while enabling TLS 1.0? |
|
| Author |
|
majidex
Joined: 31 Jul 2019
Posts: 5
Location: Japan
|
 Posted: Wed 31 Jul '19 8:49 Post subject: How to disable TLS 1.1 while enabling TLS 1.0? |
 |
|
The ones I use are:
| Code: | D:\Apache24\bin>httpd.exe -v
Server version: Apache/2.4.39 (Win64)
Apache Lounge VS16 Server built: May 28 2019 17:12:51
D:\Apache24\bin>openssl.exe version
OpenSSL 1.1.1c 28 May 2019 |
We are currently migrating servers from Apache 2.2 to Apache 2.4.
In order to maintain compatibility, while disabling TLS 1.1, I made the following settings to enable TLS 1.0.
| Code: | | SSLProtocol all -TLSv1.1 +TLSv1 |
However, disabling TLS 1.1 will also disable TLS 1.0 and will not work well.
Is there anyone who knows how to set it up? |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 31 Jul '19 14:35 Post subject: |
|
|
Use -all and enable only what you need.
| Code: |
SSLProtocol -all +TLSv1 +WhatEverElse
|
Example
| Code: |
SSLProtocol -all +TLSv1.2 +TLSv1.3
|
|
|
| Back to top |
|
majidex
Joined: 31 Jul 2019
Posts: 5
Location: Japan
|
| Posted: Wed 31 Jul '19 15:41 Post subject: |
|
|
Thank you for your reply.
I tried, but still TLSv1 is not enabled.
| Code: | SSLProtocol -all +TLSv1 +TLSv1.2
SSLProxyProtocol -all +TLSv1 +TLSv1.2 |
Verified by openssl s_client
| Code: | D:\Apache24\bin>openssl.exe s_client -connect localhost:443 -tls1
CONNECTED(00000104)
3452:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ss
l\record\rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1564579968
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
--- |
Are there any shortages or omissions in the cipher suite? . .
Here is the configuration of the cipher suite.
| Code: | # default setting
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES |
|
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 31 Jul '19 18:15 Post subject: |
|
|
If you use a recent version of apache 2.4 from apache lounge which includes OpenSSL 1.1.1
| Code: |
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1
|
I would not use TLS 1.0 nor 1.1 any longer |
|
| Back to top |
|
|
|
|
|
|
