Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is enabled

Fri, 10 Feb 2017 00:29:36 -0800 

Hi,


First off all Thanks , like already said I tried about
everything :-( nevertheless i tried all of them again  ... without success.

I cannot get the server to offer SSLV3  when TLS is enabled (Any TLS ) when
I do ssl protocol SSLv3 then sslv3 works but from the moment I add TLS ,
SSLv3 no longer works


Sven







From:   Mitchell Krog Photography <mitchellk...@gmail.com>
To:     Christopher Schultz <ch...@christopherschultz.net>,
            users@httpd.apache.org
Date:   10/02/2017 08:26
Subject:        Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
            enabled



Your SSL config for Apache 2.4.10 should be as follows

<VirtualHost *:443>
    ...
    SSLEngine on

SSLCertificateFile      
/path/to/signed_certificate_followed_by_intermediate_certs

    SSLCertificateKeyFile   /path/to/private/key

    # Uncomment the following directive when using client certificate
authentication
    #SSLCACertificateFile    /path/to/ca_certs_for_client_authentication


    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
    ...
</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv3
SSLCipherSuite
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder     on
SSLCompression          off


# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache        shmcb:/var/run/ocsp(128000)


Always check with >
https://mozilla.github.io/server-side-tls/ssl-config-generator/



From: Christopher Schultz <ch...@christopherschultz.net>
Reply: users@httpd.apache.org <users@httpd.apache.org>
Date: 10 February 2017 at 12:15:30 AM
To: users@httpd.apache.org <users@httpd.apache.org>
Subject:  Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is
enabled

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA256

      Daniel,

      On 2/9/17 4:53 PM, Daniel wrote:
      > Try manually:
      >
      > SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

      And, please, for the love of god, add these, too:

      SSLHonorServerOrder On
      SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

      This will cause "better" ciphers to be preferred over the lesser
      ones.
      Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
      RC4, etc.

      A typical cipher string I might use looks like this:

      SSLCipherSuite
      !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH

      A384:AES128-GCM-SHA256:HIGH

      - -chris

      > 2017-02-09 17:30 GMT+01:00 Sven Crul <sven.c...@belmedis.be
      > <mailto:sven.c...@belmedis.be>>:
      >
      > Hi,
      >
      >
      > I switch to debian with apache 2.4.10 where I need sslv3 for
      > backwards compatibility with some OLD clients
      >
      > I use openssl 1.0.1t (latest stable for debian)
      >
      >
      > with the settings "sslprotocol all" in ssl.conf sslv3 is not
      > offered
      >
      > with the setting "sslprotocol sslv3" in ssl.conf it works but
      > unfortunately without tls (I need TLS also)
      >
      >
      > I must be the only one who has this problem because can't find
      > anything about it anywhere, and I tried about anything there is
      >
      >
      > sslprotocol all +sslv3 ... etc nothing works
      >
      >
      > Anybody has an idea
      >
      >
      > THX!!!!!
      >
      > Sven
      >
      >
      >
      >
      >
      >
      > -- *Daniel Ferradal* IT Specialist
      >
      > email dferradal at gmail.com <http://gmail.com> linkedin
      > es.linkedin.com/in/danielferradal
      > <http://es.linkedin.com/in/danielferradal>
      -----BEGIN PGP SIGNATURE-----
      Comment: GPGTools - http://gpgtools.org
      Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

      iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
      LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
      gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
      NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
      2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
      wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
      GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
      lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
      Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
      g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
      ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
      43zsMR858V8ZOZThX0s7
      =/YOD
      -----END PGP SIGNATURE-----

      ---------------------------------------------------------------------

      To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
      For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to