httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sunil R <dexterse...@gmail.com>
Subject Re: [users@httpd] SSL handshake failure after httpd upgrade to 2.4.12
Date Fri, 31 Jul 2015 05:34:07 GMT
Thanks Daniel.

SSLCipherSuite -
ALL:!ADH:!EXPORT40:!EXPORT56:!LOW:!RC4:!MD5:!IDEA:+HIGH:+MEDIUM:+EXP:+eNULL
SSLProtocol all -SSLv2 -SSLv3

This is the openssl version output:
openssl ciphers -v
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1
export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1
export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5
export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5
export

Output from the nmap scan of the server:
| ssl-enum-ciphers:
|   TLSv1.0
|     Ciphers (14)
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_DHE_RSA_WITH_SEED_CBC_SHA
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA
|       TLS_RSA_WITH_AES_128_CBC_SHA
|       TLS_RSA_WITH_AES_256_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
|       TLS_RSA_WITH_RC4_128_MD5
|       TLS_RSA_WITH_RC4_128_SHA
|       TLS_RSA_WITH_SEED_CBC_SHA
|     Compressors (1)
|_      uncompressed


Thx,
DS

On Thu, Jul 30, 2015 at 8:16 PM, Daniel <dferradal@gmail.com> wrote:

> You should share your SSLCiphersuite and SSLProtocol values first, besides
> that version of openssl is quite lacking regarding the availability of
> ciphers and protocols.
>
> 2015-07-30 5:37 GMT+02:00 Sunil R <dexterseven@gmail.com>:
>
>> I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im
>> building apache with the same openssl version 0.9.8.After the upgrade I see
>> that the openssl s_client query to the server fails with error:
>>
>> [Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728]
>> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
>> version number
>>
>>
>>
>> The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the
>> httpd config file I have disabled SSLv2 and SSLv3.
>>
>> When I enable debug options on the s_client this is the output:
>>
>>
>>
>> Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state
>> -msg
>>
>> CONNECTED(00000003)
>>
>> SSL_connect:before/connect initialization
>>
>> write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C))
>>
>> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9..
>>
>> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
>>
>> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../.......
>>
>> 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................
>>
>> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@.........
>>
>> 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6   ............h...
>>
>> 0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d   wL^./A....m....-
>>
>> 0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97               .....c...&..
>>
>> >>> SSL 2.0 [length 007a], CLIENT-HELLO
>>
>>     01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00
>>
>>     00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
>>
>>     33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80
>>
>>     00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00
>>
>>     00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00
>>
>>     06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c
>>
>>     5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81
>>
>>     83 fd c7 63 f6 8b fe 26 e9 97
>>
>> SSL_connect:SSLv2/v3 write client hello A
>>
>> read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0))
>>
>> 7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> failure:s23_lib.c:188:
>>
>> Linux#
>>
>>
>>
>> The SSL handshake goes through fine in these cases:
>>
>> 1.When I enable SSLv3, the query goes through fine.
>>
>> 2. When I force the TLSv1 in the s_client query.
>>
>> 3. With the older httpd version 2.2.25
>> Is this intentional, to honor the disable SSLv3 configured?
>>
>> Please help me let know what could be the issue? Let me know if any other
>> details are needed.
>>
>> Thx,
>> DS
>>
>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email         dferradal at gmail.com
> linkedin     es.linkedin.com/in/danielferradal
>

Mime
View raw message