Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id B0E04D4DB for ; Tue, 20 Nov 2012 22:45:25 +0000 (UTC) Received: (qmail 96487 invoked by uid 500); 20 Nov 2012 22:45:22 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 96431 invoked by uid 500); 20 Nov 2012 22:45:22 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 96422 invoked by uid 99); 20 Nov 2012 22:45:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2012 22:45:22 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of icicimov@gmail.com designates 209.85.210.173 as permitted sender) Received: from [209.85.210.173] (HELO mail-ia0-f173.google.com) (209.85.210.173) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 20 Nov 2012 22:45:17 +0000 Received: by mail-ia0-f173.google.com with SMTP id w21so4333679iac.18 for ; Tue, 20 Nov 2012 14:44:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=8YWK5v5hb0wQuqEl0YBpuwCz7LCrBbbd/qmhWC7vbjk=; b=elZaYZdolvtWcAQjIoClYvCdePc2gAnDdaMVbhCxhFPjC3yWR2U9zfCEpLlAtHfi7C bqoa2MzyS49VI4gSPkd8v512J9xmmhOIV2vVufnK8zS6mxUJFQ+N+k3qLvRs5jMaprCa XYtfQTgGcRacJpnjviYa/UeSDy6m49j85OlcqrhY9nhgpgWpqk+vC0EkHa21oYZef8I8 6+kGfejYlpJE9j3EYdG/fXn/LXoeqhEWetpc7lCpG36nqgnH5jsYJGqd7AHQfF+u54Hh PbU31k4pfr4ubqzJ3C7XeJB3FxgXrXClGEka06ZDZwdLOGSIxrj6qi/a0/KfgGEvkRCQ A5zA== MIME-Version: 1.0 Received: by 10.50.152.231 with SMTP id vb7mr11917546igb.1.1353451497053; Tue, 20 Nov 2012 14:44:57 -0800 (PST) Received: by 10.43.112.133 with HTTP; Tue, 20 Nov 2012 14:44:56 -0800 (PST) In-Reply-To: References: Date: Wed, 21 Nov 2012 09:44:56 +1100 Message-ID: From: Igor Cicimov To: users Content-Type: multipart/alternative; boundary=e89a8f3b9e95b3dc5104cef4fbfd X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] does apache 2.2 or latest support TLS 1.1 --e89a8f3b9e95b3dc5104cef4fbfd Content-Type: text/plain; charset=ISO-8859-1 On Wed, Nov 21, 2012 at 9:22 AM, securenamefirst securenamelast < securenamefirst@gmail.com> wrote: > Thanks Igor, > can i have 2 open ssl installations on same machine? > i have apache 2.2 using open ssl 0.9 serving current application requests. > i have requriment to transfer files over TLS1.1, hence need for open ssl > 1.0.1. seems an over kill to have a second webserver instance just to > transfer files, but i see it as only solution. > > Files can be done via ftps using something like mina apache ftp server - > probably same problem there to interms of open SSL 0.9. > On Tue, Nov 20, 2012 at 9:44 PM, Igor Cicimov wrote: > >> On Wed, Nov 21, 2012 at 7:26 AM, securenamefirst securenamelast < >> securenamefirst@gmail.com> wrote: >> >>> Hi, >>> i'm confused! >>> i read as part of the features list for Apache 2.2 >>> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html >>> that >>> SSL_PROTOCOL string The SSL protocol version (SSLv2, SSLv3, TLSv1, >>> TLSv1.1, TLSv1.2) >>> >>> >>> however when i run the app using apache 2.2 i get following: >>> [Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix) DAV/2 >>> mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming normal >>> operations >>> >>> meaning i'm using apache 2.2 but with openssl 0.9 whcih according to >>> what i read only supports upto TLSv1.0 and not above. to get TLS 1.1 >>> apparently i need open ssl 1.0.1. >>> https://community.qualys.com/thread/2013 >>> >>> problem 1 - does apache 2.2 or 2.4 support TLS 1.1 or not? - >>> documentation says it does via the mod ssl. >>> >>> if yes then how do i get TLS1.1 working? i would appreaciate some >>> direction, app only way is to recompile with openssl 1.0 and that 2.2 does >>> not support TLSv1.1, >>> >>> thanks >>> >> >> Install open ssl 1.0.1 and recompile apache to use that one. >> > > Sure you can, this is how I compiled openssl on one redhat server couple of weeks ago: $ ./config --prefix=/usr/local *--openssldir=/usr/local/ssl* enable-tlsext shared $ sudo make && sudo make install so you can use different --openssldir every time you compile a new version, ie --openssldir=/usr/local/openssl-1.0.1c etc. and have several versions in parallel. Then compiled apache with the following command: $ *LDFLAGS=-L/usr/local/lib64 CPPFLAGS=-I/usr/local/include* ./configure --prefix=/usr/local/apache2 --with-mpm=worker --with-included-apr --enable-info --enable-proxy --enable-proxy-connect --enable-proxy-ftp --enable-proxy-http --enable-proxy-balancer --enable-rewrite --enable-headers --enable-cache --enable-mem-cache --enable-disk-cache --enable-expires --enable-mods-shared=all --enable-dav --enable-deflate *--enable-ssl=shared --with-ssl=/usr/local/ssl* to point apache to the 1.0.1c openssl and use that one in runtime. --e89a8f3b9e95b3dc5104cef4fbfd Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
On Wed, Nov 21, 2012 at 9:22 AM, securenamef= irst securenamelast <securenamefirst@gmail.com> wrot= e:
On Tue, Nov 20, 2012 at 9:44 PM, Igor Cicimov <icicimov@gmail.com> wrote:
On Wed, Nov 21, 2012 at 7:26 AM, securenamefirst securenamelast <securenamefirst@gmail.com> wrote:
Hi,
i'm confused!
i read as part of the features list for Ap= ache 2.2
http://httpd.apac= he.org/docs/2.2/mod/mod_ssl.html
that
SSL_PROTOCOL string The SSL protocol version (SSLv2, SSLv3, TLSv1,= TLSv1.1, TLSv1.2)


however when i run the app using apache 2.2 = i get following:
[Thu Nov 08 13:38:54 2012] [notice] Apache/2.2.10 (Unix= ) DAV/2 mod_ssl/2.2.10 OpenSSL/0.9.7d mod_jk/1.2.26 configured -- resuming = normal operations

meaning i'm using apache 2.2 but with openssl 0.9 whcih according t= o what i read only supports upto TLSv1.0 and not above. to get TLS 1.1 appa= rently i need open ssl 1.0.1.
https= ://community.qualys.com/thread/2013

problem 1 - does apache 2.2 or 2.4 support TLS 1.1 or not? - documentat= ion says it does via the mod ssl.

if yes then how do i get TLS1.1 wo= rking? i would appreaciate some direction, app only way is to recompile wit= h openssl 1.0 and that 2.2 does not support TLSv1.1,

thanks

Install open ssl 1.0.1 = and recompile apache to use that one.


Sure you can, this is how I compiled ope= nssl on one redhat server couple of weeks ago:
$ ./config --prefix=3D/us= r/local --openssldir=3D/usr/local/ssl enable-tlsext shared
$ sudo= make && sudo make install

so you can use different --openssldir every time you compile a new vers= ion, ie --openssldir=3D/usr/local/openssl-1.0.1c etc. and have several vers= ions in parallel.

Then compiled apache with the following command:
$ LDFLAGS=3D-L/usr/local/lib64 CPPFLAGS=3D-I/usr/local/include .= /configure --prefix=3D/usr/local/apache2 --with-mpm=3Dworker --with-include= d-apr --enable-info --enable-proxy --enable-proxy-connect --enable-proxy-ft= p --enable-proxy-http --enable-proxy-balancer --enable-rewrite --enable-hea= ders --enable-cache --enable-mem-cache --enable-disk-cache --enable-expires= --enable-mods-shared=3Dall --enable-dav --enable-deflate --enable-ssl= =3Dshared --with-ssl=3D/usr/local/ssl

to point apache to the 1.0.1c openssl and use that one in runtime.
<= br> --e89a8f3b9e95b3dc5104cef4fbfd--