httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 60739] SSLProtocol settings seem to have no effect
Date Thu, 16 Mar 2017 11:36:54 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #6 from David Favor <david@davidfavor.com> ---
The problem seems to be an interaction between the Cipher List + SSLProtocol.

Depending on setting of Cipher List SSLProtocol seems to work or be ignored.

These settings disable TLSv1.0

# support old Android phones
SSLProtocol All -SSLv2 -SSLv3 -TLSv1

# Force using custom cipher list
SSLHonorCipherOrder on

Define sslCiphers
-ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW
Define sslCiphers
${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLCipherSuite ${sslCiphers}

Other sslCiphers settings cause SSLProtocol to be ignored.

I think the fix is either to have SSLProtocol cause a prune of sslCiphers
settings or if there's a conflict between SSLProtocol + sslCiphers then have
some sort of warning about the conflict.

All in all, the problem is far more complex than it appears on the surface.

For now, I'll resolve my situation by using the above settings.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message