Dear all, in 20 years administrating linux hosts i always avoided it successfully to change the SSlCipherSuite, hoping the default from Suse or Ubuntu would be fine and secure. But now i'm in the situation that i have to touch it for the first time, and afraid of opening a big door because of wrong configuration. I have an elder software (ServersAlive) which monitors our services. Among others it need to check two Ubuntu 20.04 hosts, one with Apache 2.4.41. The software does not check the https URL and complains in the log "SSL handshake failed". The webserver log says: [Fri Nov 27 16:00:05.526738 2020] [ssl:info] [pid 1330] [client 146.107.25.174:61102] AH02008: SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443) [Fri Nov 27 16:00:05.526784 2020] [ssl:info] [pid 1330] SSL Library Error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
I think this is related to the SSL configuration of Apache and the fact that the software is a bit outdated. I read http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite. SSLCipherSiute is currently: SSLCipherSuite HIGH:!aNULL That means that all ciphers using Triple-DES are allowed, without all ciphers using no authentication. Right? SSLHonorCipherOrder off OK ? SSLProtocol all -SSLv3 That means all protocols are allowed but not SSLv3. Right ? I canged it to SSLProtocol all +SSLv3 +TLSv1, but then apache refused to restart, complaining SSLv3 is not supported by OpenSSL. I changed it to SSLProtocol all +TLSv1, but my software still says the host is down, resulting in the apache log: [Fri Nov 27 16:28:15.143448 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953] AH02008: SSL library error 1 in handshake (server nc-mcd.helmholtz-muenchen.de:443) [Fri Nov 27 16:28:15.143500 2020] [ssl:info] [pid 2703] SSL Library Error: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol [Fri Nov 27 16:28:15.143524 2020] [ssl:info] [pid 2703] [client 146.107.25.174:61953] AH01998: Connection closed to child 3 with abortive shutdown (server nc-mcd.helmholtz-muenchen.de:443) What can i do ? Bernd -- Bernd Lentes Head of Systemadministration Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 HelmholtzZentrum München bernd.len...@helmholtz-muenchen.de phone: +49 89 3187 1241 phone: +49 89 3187 3827 fax: +49 89 3187 2294 http://www.helmholtz-muenchen.de/mcd Helmholtz Zentrum München Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
