httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <>
Subject Re: Older clients stopped working after server disabled SSLv3
Date Sat, 01 Nov 2014 07:15:02 GMT
On 29.10.2014 16:42, Yann Ylavic wrote:
> On Wed, Oct 29, 2014 at 2:52 PM, Mikhail T. <> wrote:
>> That would solve our problem, though some may wonder about the subtle
>> differences between "any" and "all" :-) More seriously, it would also make
>> the config-files incompatible with earlier httpd-releases -- whereas the
>> patch I linked to does not have this problem.

Definitely agreeing with Mikhail. Adding "Any" as another option is just
likely to cause even more confusion (and I'm also not in support of adding
things like "safe", just for the records).

Without clear steps on how to reproduce the problem (what httpd version,
what OpenSSL version, what client, what SSLProtocol settings), I'm fairly
doubtful that there really is a problem here. From a quick glance at
OpenSSL's s23_srvr.c:ssl23_get_client_hello(), I fail to see any reason
why the current mod_ssl code in
ssl_engine_init.c:ssl_init_ctx_protocol() would disable the acceptance
of an SSLv2 compatible ClientHello when a single protocol setting (cases
like protocol == SSL_PROTOCOL_TLSV1) is active.

Reading further down on the serverfault entry referenced earlier [1],
the "real" OP (Matt Hughes, i.e. the one who posted to httpd-users, in
the thread mentioned by Jeff) meanwhile came to the conclusion that his
problem "was a non-issue all along. Apache will accept SSLv2 handshake
with either of the configurations I posted above". In fact, I have no
problem to connect to httpd/mod_ssl with "SSLProtocol TLSv1", when
using "openssl s_client -cipher RC4-MD5 -connect ...", (provided that
RC4-MD5 is still enabled server-side). In that case, I'm seeing an
SSLv2 compatible hello, with TLS 1.0 getting negotiated in the end.



View raw message