Re: [users@httpd] Problems with TLS connections

Tue, 24 Apr 2012 12:41:00 -0700 

On 24/04/2012 20:19, Carmel wrote:

On Tue, 24 Apr 2012 19:46:40 +0100
plot.lost articulated:


Having problems making TLS connections to an instance of apache.

The server version is:
Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8t

The ssl config includes:

    SSLProtocol TLSv1 SSLv3
    SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5:!EXP:!LOW:!NULL
    SSLHonorCipherOrder on
    # See
    http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/
    SSLVerifyClient none
    #SSLInsecureRenegotiation on


If I try and connect using Firefox with only TLS enabled, the
connection fails (get the message 'The connection to the server was
reset while the page was loading'). With SSLv3 enabled in Firefox, the
connection works fine.

Trying using openssl command line:

openssl s_client -connect 127.0.0.1:443 -tls1

gets

CONNECTED(00000003)
15265:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:284:

When trying with

openssl s_client -connect 127.0.0.1:443 -sslv3

the connection works

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : SSLv3
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:
F86A80F46AF9AD0626B1051223C184553FC25B92AF1763E6728CAEF984C4CB58
     Session-ID-ctx:
     Master-Key:
E0BE122F6671905DB5BBC40F874157F1A4625FC32A19AE1D67EC2255DC05DC7723A69A26A942E874C8CC219A28BB4936
     Key-Arg   : None
     Start Time: 1335292940
     Timeout   : 7200 (sec)


Any clues as to why the TLS connection is not working - is there some
config value I am missing or have wrong?

What version of SSL are you using? There was a problem with the update
of "openssl-1.0.1a" that caused problems with Postfix with certain
domains.

Try this for starters:

openssl s_client -connect 127.0.0.1:443 -tls1_2
openssl s_client -connect 127.0.0.1:443 -tls1_1
openssl s_client -connect 127.0.0.1:443 -tls1
openssl s_client -connect 127.0.0.1:443 -ssl3

Post the connect or fail results back here.


Command line openssl version is:

OpenSSL 0.9.8t 18 Jan 2012 (Library: OpenSSL 0.9.8k 25 Mar 2009)

-tls1_1 and -tls1_2 are not recognised options
-tls1 fails
-ssl3 connects fine.
The apache httpd has been compiled against the same openssl (and is running on the same box, ubuntu 10.04 LTS) 

Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8t




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to