httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Theo Sweeny <theo.swe...@madgex.com>
Subject RE: [users@httpd] SSLProtocol and TLSv1
Date Thu, 14 Jul 2016 07:13:07 GMT
Hello Phil – that sounds as if when the traffic comes through the public gateway, SSL is
offloading to an interim gateway device rather than at the Apache server.

Are there any interim gateway devices?

If so – do they manage SSL offloading?

Theo

From: Phil Smith [mailto:philboonz@gmail.com]
Sent: 13 July 2016 21:47
To: users@httpd.apache.org
Subject: [users@httpd] SSLProtocol and TLSv1

I'm running Apache distributed via CentOS6:
Server: Apache/2.2.15 (CentOS)

I'm attempting to disable TLSv1.0 in ssl.conf using either of:

SSLProtocol all -SSLv2 -SSLv3 -TLSv1
or
SSLProtocol +TLSv1.1 +TLSv1.2

Either setting seems to work in disabling TLSv1 if the apache server is requested via private
IP address.

However, neither seem to work in disabling TLSv1 if the apache server is requested via public
IP address.

I'm using openssl to test support for tlsv1 using:
/usr/bin/openssl s_client -connect x.x.x.x:443 -tls1

When x.x.x.x is replaced with private IP address, TLSv1 is not supported.
When x.x.x.x is replaced with public IP address, TLSv1 is supported.

NAT'ing is set up properly from the private to public IP addresses that I am using to test.

openssl version is:
$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013

The server is configured for IP based virtual hosts.

Does anyone have any idea why this would be happening?

Thank you.
Mime
View raw message