httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Iliffe <john.ili...@iliffe.ca>
Subject Re: [users@httpd] Enabling ECDHE ciphers
Date Fri, 18 Apr 2014 17:16:07 GMT
Further to my previous post, the log reports:

[Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 
140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- 
resuming normal operations
[Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 
140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd'

BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is 
libssl-1.0.0

John
==========================================
On Friday 18 April 2014 13:08:12 John Iliffe wrote:
> Re the version of OpenSSL, I reported this last week to this list.
> 
> Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual
> libssl-1.x.x format.
> 
> Probably a make file error, but it really seems to be 1.0.1g.
> 
> John
> =================================
> 
> On Friday 18 April 2014 12:14:32 Christopher Schultz wrote:
> > Igor,
> > 
> > On 4/17/14, 8:56 PM, Igor Cicimov wrote:
> > > On 18/04/2014 2:30 AM, "Hanno Böck" <hanno@hboeck.de
> > > 
> > > <mailto:hanno@hboeck.de>> wrote:
> > >> On Thu, 17 Apr 2014 12:27:37 -0400
> > >> Christopher Schultz <chris@christopherschultz.net
> > > 
> > > <mailto:chris@christopherschultz.net>> wrote:
> > >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that
> > >> > can
> > >> 
> > >> > support them. I've done the obvious:
> > >> [...]
> > >> 
> > >> > I'm running httpd 2.2.23
> > >> 
> > >> That's your problem. Get rid of that old cruft. You'll need apache
> > >> 2.4 (for that and for many other improvements regarding ssl
> > >> encryption).
> > > 
> > > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers
> > > and TLSv1.2 and ECDHE ciphers are supported.
> > 
> > I checked, and even though I have the OpenSSL 1.0.1g package
> > installed, it appears that httpd was compiled against OpenSSL 1.0.0.
> > When I look at the start up log, it says:
> > 
> > [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2
> > mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured
> > -- resuming normal operations
> > 
> > On another test server, I upgraded to the latest 2.2.x httpd I can get
> > from Amazon, which is 2.2.26. I re-started and still can't seem to use
> > the ECDHE algorithms.
> > 
> > On that same (second) test server I upgraded to httpd 2.4.9. Here is
> > the startup log message there:
> > 
> > [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337]
> > AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10
> > mod_jk/1.2.40 configured -- resuming normal operations
> > 
> > I'm now able to use the ECDHE ciphers.
> > 
> > Everything appears to be dynamically-linked, so I can't understand why
> > 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have
> > 1.0.1 installed. This is almost certainly an Amazon-Linux-related
> > thing if you were able to get ECDHE ciphers working on 2.2.x.
> > 
> > I wonder, what does your startup string say about OpenSSL?
> > 
> > The good news is that I really did only have to put it in my ciphers
> > list.
> > 
> > Thanks,
> > -chris
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message