httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled
Date Fri, 10 Feb 2017 09:00:19 GMT
do you change SSLCipherSuite?, show us which one you have

2017-02-10 9:29 GMT+01:00 Sven Crul <Sven.Crul@belmedis.be>:

> Hi,
>
>
> First off all Thanks , like already said I tried about everything :-(
> nevertheless i tried all of them again  ... without success.
>
> I cannot get the server to offer SSLV3  when TLS is enabled (Any TLS )
> when I do ssl protocol SSLv3 then sslv3 works but from the moment I add TLS
> , SSLv3 no longer works
>
>
> Sven
>
>
>
>
> [image: Show details for Mitchell Krog Photography ---10/02/2017
> 08:26:09---Your SSL config for Apache 2.4.10 should be as follows
> <VirtualHost *:443>]Mitchell Krog Photography ---10/02/2017
> 08:26:09---Your SSL config for Apache 2.4.10 should be as follows
> <VirtualHost *:443>
> [image: Hide details for Mitchell Krog Photography ---10/02/2017
> 08:26:09---Your SSL config for Apache 2.4.10 should be as follows
> <VirtualHost *:443>]Mitchell Krog Photography ---10/02/2017
> 08:26:09---Your SSL config for Apache 2.4.10 should be as follows
> <VirtualHost *:443>
>
> From: Mitchell Krog Photography <mitchellkrog@gmail.com>
> To: Christopher Schultz <chris@christopherschultz.net>,
> users@httpd.apache.org
> Date: 10/02/2017 08:26
> Subject: Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
> enabled
> ------------------------------
>
>
>
> Your SSL config for Apache 2.4.10 should be as follows
>
> <VirtualHost *:443>
>    ...
>    SSLEngine on
>    SSLCertificateFile      /path/to/signed_certificate_
> followed_by_intermediate_certs
>    SSLCertificateKeyFile   /path/to/private/key
>
>    # Uncomment the following directive when using client certificate
> authentication
>    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication
>
>
>    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
>    Header always set Strict-Transport-Security "max-age=15768000"
>    ...
> </VirtualHost>
>
> # intermediate configuration, tweak to your needs
> SSLProtocol             all -SSLv3
> SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-
> POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-
> GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-
> GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-
> SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
> SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
> RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-
> AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-
> RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:
> ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-
> RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:
> AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
> SSLHonorCipherOrder     on
> SSLCompression          off
>
>
> # OCSP Stapling, only in httpd 2.3.3 and later
> SSLUseStapling          on
> SSLStaplingResponderTimeout 5
> SSLStaplingReturnResponderErrors off
> SSLStaplingCache        shmcb:/var/run/ocsp(128000)
>
>
> Always check with >
> *https://mozilla.github.io/server-side-tls/ssl-config-generator/*
> <https://mozilla.github.io/server-side-tls/ssl-config-generator/>
>
>
>
> From: Christopher Schultz *<chris@christopherschultz.net>*
> <chris@christopherschultz.net>
> Reply: *users@httpd.apache.org* <users@httpd.apache.org>
> *<users@httpd.apache.org>* <users@httpd.apache.org>
> Date: 10 February 2017 at 12:15:30 AM
> To: *users@httpd.apache.org* <users@httpd.apache.org>
> *<users@httpd.apache.org>* <users@httpd.apache.org>
> Subject:  Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
> enabled
>
>    -----BEGIN PGP SIGNED MESSAGE-----
>    Hash: SHA256
>
>    Daniel,
>
>    On 2/9/17 4:53 PM, Daniel wrote:
>    > Try manually:
>    >
>    > SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2
>
>    And, please, for the love of god, add these, too:
>
>    SSLHonorServerOrder On
>    SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3
>
>    This will cause "better" ciphers to be preferred over the lesser ones.
>    Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
>    RC4, etc.
>
>    A typical cipher string I might use looks like this:
>
>    SSLCipherSuite
>    !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
>
>    A384:AES128-GCM-SHA256:HIGH
>
>    - -chris
>
>    > 2017-02-09 17:30 GMT+01:00 Sven Crul <*Sven.Crul@belmedis.be*
>    <Sven.Crul@belmedis.be>
>    > <mailto:*Sven.Crul@belmedis.be* <Sven.Crul@belmedis.be>>>:
>    >
>    > Hi,
>    >
>    >
>    > I switch to debian with apache 2.4.10 where I need sslv3 for
>    > backwards compatibility with some OLD clients
>    >
>    > I use openssl 1.0.1t (latest stable for debian)
>    >
>    >
>    > with the settings "sslprotocol all" in ssl.conf sslv3 is not
>    > offered
>    >
>    > with the setting "sslprotocol sslv3" in ssl.conf it works but
>    > unfortunately without tls (I need TLS also)
>    >
>    >
>    > I must be the only one who has this problem because can't find
>    > anything about it anywhere, and I tried about anything there is
>    >
>    >
>    > sslprotocol all +sslv3 ... etc nothing works
>    >
>    >
>    > Anybody has an idea
>    >
>    >
>    > THX!!!!!
>    >
>    > Sven
>    >
>    >
>    >
>    >
>    >
>    >
>    > -- *Daniel Ferradal* IT Specialist
>    >
>    > email dferradal at *gmail.com* <http://gmail.com/> <
>    *http://gmail.com* <http://gmail.com/>> linkedin
>    > *es.linkedin.com/in/danielferradal*
>    <http://es.linkedin.com/in/danielferradal>
>    > <*http://es.linkedin.com/in/danielferradal*
>    <http://es.linkedin.com/in/danielferradal>>
>    -----BEGIN PGP SIGNATURE-----
>    Comment: GPGTools - *http://gpgtools.org* <http://gpgtools.org/>
>    Comment: Using GnuPG with Thunderbird - *http://www.enigmail.net/*
>    <http://www.enigmail.net/>
>
>    iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
>    LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
>    gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
>    NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
>    2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
>    wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
>    GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
>    lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
>    Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
>    g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
>    ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
>    43zsMR858V8ZOZThX0s7
>    =/YOD
>    -----END PGP SIGNATURE-----
>
>    ---------------------------------------------------------------------
>    To unsubscribe, e-mail: *users-unsubscribe@httpd.apache.org*
>    <users-unsubscribe@httpd.apache.org>
>    For additional commands, e-mail: *users-help@httpd.apache.org*
>    <users-help@httpd.apache.org>
>
>
>
>
>


-- 
*Daniel Ferradal*
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message