RE: [users@httpd] Upgrading from OpenSSL 0.9.8 to OpenSSL 1.0.2a
This is a really late follow-up (my apologies). I am now trying to recompile Apache but am not sure I am following the correct steps. The command I found to use is: nmake /f Makefile.win _apacher If I am understanding things correctly, I need a full version of Visual Studio to complete this recompile. I don't have that software currently installed and, from everything I've seen, it is not free to download. Is there any other way I can accomplish a recompile of Apache 2.2.25 so that my instance of OpenSSL 1.0.2a is recognized? Thanks. From: Abdul Anshad [mailto:ab...@visolve.com] Sent: Saturday, April 4, 2015 2:56 AM To: users@httpd.apache.org; Cathy Fauntleroy Subject: Re: [users@httpd] Upgrading from OpenSSL 0.9.8 to OpenSSL 1.0.2a Hello Cathy, FYI, TLS 1.1 and TLS 1.2 protocols are only supported by OpenSSL 1.0.1 and 1.0.2 series. Since you have upgraded the OpenSSL version from 0.9.8 to 1.0.2a, It should support the newer TLS 1.1 and 1.2 protocols. But, In addition to this you also have to recompile apache, openssh and any other important system components to make use of the newer cryptographic libraries from OpenSSL. Thanks, ViSolve Support Team ViSolve Inc. | San Jose, California Website: www.visolve.com <http://www.visolve.com> email: servi...@visolve.com <mailto:servi...@visolve.com> | Phone: 408-850-2243 On 29-Mar-15 7:02 AM, Cathy Fauntleroy wrote: Good Evening, I need to enable TLS 1.2 but since I currently have Apache 2.2.25 w/OpenSSL 0.9.8 installed, I can't do that. So, I left Apache 2.2.25 in place, installed OpenSSL 1.0.2a, and created the new openssl.cnf environment variables. The install was successful, the correct version is showing, but TLS 1.2 is still not enabled. Any ideas on what I am missing? Thanks. _ <http://www.avast.com/> This email has been checked for viruses by Avast antivirus software. www.avast.com <http://www.avast.com/>
RE: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing
Jim, I am having a very similar problem as you are experiencing and have (like you) tried many things in attempt to fix. However, I did not build the server and was not aware of IIS-like services called by another name. Would you please tell me what the service is called? I need see if it is installed on my Win 2012 server and, if it is, remove it. Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com Office: (443) 832-4768 -Original Message- From: Jim Walls [mailto:j...@k6ccc.org] Sent: Sunday, May 17, 2015 2:54 PM To: users@httpd.apache.org Subject: Re: [users@httpd] Help - 2.2 to 2.4 migration onto new server failing On 5/17/2015 11:31 AM, Kees Nuyt wrote: > On Tue, 12 May 2015 14:28:23 -0700, you wrote: > >> IIS is NOT running - one of the first things I checked after >> installing windows. I will NEVER run IIS and make sure it's dead >> right away. Checked again and it's did not resurrect itself from the dead. > Oops, sorry, I should have read a bit more before replying :( > Turns out that it is - although it's not called IIS in Windows 2012. When I installed the OS onto brand new drives (so there is no possibility of some leftover from something previously installed), there is an option to install IIS services which I unchecked and had assumed that it really was not there. There is nothing to indicate that IIS (by that name) is there either, but that functionality is there. Found lots of on-line sources to indicate that it's there with instructions for removal - none have worked so far. Still poking at it... I will report here when I get it working right... -- 73 - Jim Walls - K6CCC j...@k6ccc.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] .MSI Files?
I appreciate it, Yehuda! Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: <mailto:cathy.fauntle...@vdtg.com> cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: Yehuda Katz [mailto:yeh...@ymkatz.net] Sent: Thursday, April 16, 2015 1:48 PM To: users@httpd.apache.org Subject: Re: [users@httpd] .MSI Files? There are no Apache committers who build Windows binaries. http://httpd.apache.org/docs/current/platform/windows.html#down You can get binaries from other sources - I usually use ApacheLounge. None of these source build an MSI of Apache by itself. The recommended installation method is to download the zip, extract to a folder (best to not have spaces in the path) and run "httpd.exe -k install" from an elevated Command Prompt. - Y On Thu, Apr 16, 2015 at 1:10 PM, Cathy Fauntleroy mailto:cathy.fauntle...@vdtg.com> > wrote: Users, Why can’t I find a .msi for any version except Apache 2.2.24 w/OpenSSL 0.9.8? I’ve looked at so many sites that my eyes are tired. If anyone can tell me where I can locate one for download and install on my Windows 2008 server, you have no idea how much I would appreciate it! Thanks… Cathy Fauntleroy
[users@httpd] .MSI Files?
Users, Why can't I find a .msi for any version except Apache 2.2.24 w/OpenSSL 0.9.8? I've looked at so many sites that my eyes are tired. If anyone can tell me where I can locate one for download and install on my Windows 2008 server, you have no idea how much I would appreciate it! Thanks. Cathy Fauntleroy
[users@httpd] Upgrading from OpenSSL 0.9.8 to OpenSSL 1.0.2a
Good Evening, I need to enable TLS 1.2 but since I currently have Apache 2.2.25 w/OpenSSL 0.9.8 installed, I can't do that. So, I left Apache 2.2.25 in place, installed OpenSSL 1.0.2a, and created the new openssl.cnf environment variables. The install was successful, the correct version is showing, but TLS 1.2 is still not enabled. Any ideas on what I am missing? Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> Office: (443) 832-4768
RE: [users@httpd] How to enable TLSV1.1 or above on Apache
I am on a Windows 2008 R2 server with Apache 2.2.25/OpenSSL 0.9.8 installed. I am attempting to upgrade OpenSSL to 1.0.1 so that TLS 1.1 and 1.2 will be enabled. I am having problems installing 1.0.1 because of what appears to be a platform conflict. My installation halts because a file in what is definitely a Unix/Linux path is not found. I am on a Windows platform and downloaded a file for windows. Any help would be greatly appreciated. Am I missing something or have I stumbled upon a mis-categorized download? I've tried several sites. Thanks… Cathy -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Friday, March 27, 2015 5:53 AM To: users@httpd.apache.org Subject: Re: [users@httpd] How to enable TLSV1.1 or above on Apache Am 27.03.2015 um 06:22 schrieb Sailaja Gadireddy: > Hello Team, > > I have upgraded my apache to Apache V2.4.3. and OpenSSL version is > 0.9.8g > > When I have modified httpd conf with SSLProtocol TLSV1.1, It says > Illegal protocol. > > Do I need to install latest openssl version? If so please suggest the > version. > > Please suggest me the way to enable TLSV1.1 on Apache. You need OpenSSL 1.0.1 as a minimum for TLS 1.1 (and 1.2) support. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] How to enable TLSV1.1 or above on Apache
I misspoke. OpenSSL 0.9.8 does NOT support TLSv1.1. My apologies... Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com Office: (443) 832-4768 -Original Message- From: Cathy Fauntleroy [mailto:cathy.fauntle...@vdtg.com] Sent: Thursday, March 19, 2015 2:35 PM To: users@httpd.apache.org Subject: RE: [users@httpd] How to enable TLSV1.1 or above on Apache OpenSSL 0.9.8 supports TLS1.1 but, apparently, not TLS 1.2. At least not easily because I am running 0.9.8 and have TLS1.1 protocol enabled. I am trying to enable TLS 1.2 with NO luck. I have Apache 2.2.25 installed. Any ideas? Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com Office: (443) 832-4768 -Original Message- From: Robert Webb [mailto:rw...@ropeguru.com] Sent: Thursday, March 19, 2015 8:25 AM To: users@httpd.apache.org; Sailaja Gadireddy Subject: Re: [users@httpd] How to enable TLSV1.1 or above on Apache What version of OpenSSL are you running. I don't believe OpenSSL 0.9.8 supports TLS 1.1 or 1.2. Robert On Thu, 19 Mar 2015 12:02:01 +0530 Sailaja Gadireddy wrote: > Hello Team, > > Currently my Apache server supports SSLV2, V3, TLSV1. > > The client requirement is to enalbe TLSV1.1 or above on the webserver. > > Current Version of Apache: Apache V2.2.16 > > When I tried to Add SSLProtocol All TLSv1.1 TLSv1.2. Server has thrown >the error saying Illegal Protocol. > > Please do let me know the steps for enabling TLSV1.1 or above. > > Thanks & Regards, > Sailaja. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] How to enable TLSV1.1 or above on Apache
OpenSSL 0.9.8 supports TLS1.1 but, apparently, not TLS 1.2. At least not easily because I am running 0.9.8 and have TLS1.1 protocol enabled. I am trying to enable TLS 1.2 with NO luck. I have Apache 2.2.25 installed. Any ideas? Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com Office: (443) 832-4768 -Original Message- From: Robert Webb [mailto:rw...@ropeguru.com] Sent: Thursday, March 19, 2015 8:25 AM To: users@httpd.apache.org; Sailaja Gadireddy Subject: Re: [users@httpd] How to enable TLSV1.1 or above on Apache What version of OpenSSL are you running. I don't believe OpenSSL 0.9.8 supports TLS 1.1 or 1.2. Robert On Thu, 19 Mar 2015 12:02:01 +0530 Sailaja Gadireddy wrote: > Hello Team, > > Currently my Apache server supports SSLV2, V3, TLSV1. > > The client requirement is to enalbe TLSV1.1 or above on the webserver. > > Current Version of Apache: Apache V2.2.16 > > When I tried to Add SSLProtocol All TLSv1.1 TLSv1.2. Server has thrown >the error saying Illegal Protocol. > > Please do let me know the steps for enabling TLSV1.1 or above. > > Thanks & Regards, > Sailaja. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
RE: [users@httpd] SSL Compression
Igor, Great information. I appreciate it! Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: <mailto:cathy.fauntle...@vdtg.com> cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, March 18, 2015 5:50 PM To: users Subject: Re: [users@httpd] SSL Compression On 19/03/2015 2:02 AM, "Daniel" mailto:dferra...@gmail.com> > wrote: > > There is an exception, you can only use that directive in server config, > that's why I asked about the context. > > If you set that up inside a virtualhost, it will probably will give you > issues. > > -- > Daniel Ferradal > IT Specialist > > email dferra...@gmail.com <mailto:dferra...@gmail.com> > linkedin es.linkedin.com/in/danielferradal > <http://es.linkedin.com/in/danielferradal> > > 2015-03-16 5:48 GMT+01:00 Cathy Fauntleroy <mailto:cathy.fauntle...@vdtg.com> >: >> >> Daniel, >> >> >> >> Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to >> secure TLS compression and mitigate the CRIME vulnerability by adding the >> following directive to the httpd.conf file: >> >> >> >> Implementation on Apache HTTP Server (mod_ssl) >> >> The following configuration block can be used in Apache HTTP Server >> 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn >> off TLS/SSL Compression as this is only possible Apache HTTP Server >> 2.2.24/2.4.3+ using the SSLCompression directive. >> >> >> >> SSLProtocol ALL -SSLv2 -SSLv3 >> >> SSLHonorCipherOrder On >> >> SSLCipherSuite >> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 >> >> SSLCompression Off >> >> I am >> >> >> >> Thanks… >> >> Cathy Fauntleroy, Security+ >> >> Van Dyke Technology Group >> >> Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> >> >> Office: (443) 832-4768 >> >> >> >> From: Daniel [mailto:dferra...@gmail.com <mailto:dferra...@gmail.com> ] >> Sent: Saturday, March 14, 2015 7:24 PM >> To: mailto:users@httpd.apache.org> > >> Subject: Re: [users@httpd] SSL Compression >> >> >> >> >> >> >> >> 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy > <mailto:cathy.fauntle...@vdtg.com> >: >>> >>> Hello Everyone, >>> >>> >>> >>> I have Apache 2.2.24 installed and I am attempting to disable compression. >>> I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I >>> do that, the Apache service does not start. The system log does not >>> register any meaningful error. Has anyone encountered this before? >>> >>> >>> >>> Thanks… >>> >>> Cathy Fauntleroy, Security+ >>> >>> Van Dyke Technology Group >>> >>> Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> >>> >>> Office: (443) 832-4768 >>> >>> >> >> >> >> In which context are you trying to use it? Which openssl version do you use? >> >> >> >> -- >> >> Daniel Ferradal >> >> IT Specialist >> >> >> >> email dferra...@gmail.com <mailto:dferra...@gmail.com> >> >> linkedin es.linkedin.com/in/danielferradal >> <http://es.linkedin.com/in/danielferradal> > Yes you can use that in virtual host context. The problem is that you are trying to use cipher suites not supported by your openssl version. Check by running: openssl ciphers -v and check that the ciphers you have included in apache are in the list. I also recommend you upgrade to openssl-1.0.1
RE: [users@httpd] SSL Compression
Daniel, Thanks for the response. I am running OpenSSL 0.9.8. I am attempting to secure TLS compression and mitigate the CRIME vulnerability by adding the following directive to the httpd.conf file: Implementation on Apache HTTP Server (mod_ssl) The following configuration block can be used in Apache HTTP Server 2.2+/2.4+ with mod_ssl. However, there is an exception of being able to turn off TLS/SSL Compression as this is only possible Apache HTTP Server 2.2.24/2.4.3+ using the SSLCompression directive. SSLProtocol ALL -SSLv2 -SSLv3 SSLHonorCipherOrder On SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5 SSLCompression Off I am Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: <mailto:cathy.fauntle...@vdtg.com> cathy.fauntle...@vdtg.com Office: (443) 832-4768 From: Daniel [mailto:dferra...@gmail.com] Sent: Saturday, March 14, 2015 7:24 PM To: Subject: Re: [users@httpd] SSL Compression 2015-03-14 15:02 GMT+01:00 Cathy Fauntleroy mailto:cathy.fauntle...@vdtg.com> >: Hello Everyone, I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding ‘SSLCompression Off’. When I do that, the Apache service does not start. The system log does not register any meaningful error. Has anyone encountered this before? Thanks… Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> Office: (443) 832-4768 In which context are you trying to use it? Which openssl version do you use? -- Daniel Ferradal IT Specialist email <mailto:dferra...@gmail.com> dferra...@gmail.com linkedin <http://es.linkedin.com/in/danielferradal> es.linkedin.com/in/danielferradal
[users@httpd] SSL Compression
Hello Everyone, I have Apache 2.2.24 installed and I am attempting to disable compression. I am editing the httpd.conf file and adding 'SSLCompression Off'. When I do that, the Apache service does not start. The system log does not register any meaningful error. Has anyone encountered this before? Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> Office: (443) 832-4768
[users@httpd] Updating Apache to Mitigate FREAK
Hello Community, I am attempting to update Apache from version 2.2.21 on my Windows 2008 R2 Enterprise Server in order to mitigate the FREAK vulnerability. I am new to this project (no overlap with the previous developers) and also new to Apache on Windows. I have already mitigated other vulnerabilities by disabling SSLv2 and SSLv3. I now need to enable TLS 1.2 which, from what I understand, requires running at least Apache 2.2.24 or higher. Basically, I want to be sure I am selecting the correct download. I connected to http://olex.openlogic.com/packages/apache/2.2.24#package_detail_tabs and downloaded Apache HTTP Server 2.2.25Windows (openssl) Windows IA32 Binary. Does anyone have experience/professional opinion about that site/download in regard to what I need to accomplish? Thanks. Cathy Fauntleroy, Security+ Van Dyke Technology Group Email: cathy.fauntle...@vdtg.com <mailto:cathy.fauntle...@vdtg.com> Office: (443) 832-4768