Yes, thank you. There is a web app firewall in front of the apache server on the public side, so the allowed protocol versions need to be applied to the web app firewall, as well.
That explains why setting SSLProtocol affected the server when connecting directly to it via private IP address. The public IP address first goes through the web app firewall. On Thu, Jul 14, 2016 at 3:13 AM, Theo Sweeny <theo.swe...@madgex.com> wrote: > Hello Phil – that sounds as if when the traffic comes through the public > gateway, SSL is offloading to an interim gateway device rather than at the > Apache server. > > > > Are there any interim gateway devices? > > > > If so – do they manage SSL offloading? > > > > Theo > > > > *From:* Phil Smith [mailto:philbo...@gmail.com] > *Sent:* 13 July 2016 21:47 > *To:* users@httpd.apache.org > *Subject:* [users@httpd] SSLProtocol and TLSv1 > > > > I'm running Apache distributed via CentOS6: > > Server: Apache/2.2.15 (CentOS) > > > > I'm attempting to disable TLSv1.0 in ssl.conf using either of: > > > > SSLProtocol all -SSLv2 -SSLv3 -TLSv1 > > or > > SSLProtocol +TLSv1.1 +TLSv1.2 > > > > Either setting seems to work in disabling TLSv1 if the apache server is > requested via private IP address. > > > > However, neither seem to work in disabling TLSv1 if the apache server is > requested via public IP address. > > > > I'm using openssl to test support for tlsv1 using: > > /usr/bin/openssl s_client -connect x.x.x.x:443 -tls1 > > > > When x.x.x.x is replaced with private IP address, TLSv1 is not supported. > > When x.x.x.x is replaced with public IP address, TLSv1 is supported. > > > > NAT'ing is set up properly from the private to public IP addresses that I > am using to test. > > > > openssl version is: > > $ openssl version -a > > OpenSSL 1.0.1e-fips 11 Feb 2013 > > > > The server is configured for IP based virtual hosts. > > > > Does anyone have any idea why this would be happening? > > > > Thank you. >
