Solution to have TLSv1.2 and TLSv1.0 support together again with Apache 2.4.29 on Ubuntu 18:
Changing SSLProtocol -all +TLSv1.2 +TLSv1 to SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1 This gives the following sslscan output: Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.2 256 bits AES256-SHA Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.1 256 bits AES256-SHA Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Accepted TLSv1.0 256 bits AES256-SHA and connection with all three protocols with curl works, also from the old client which is not TLSv1.2 capable. But I want only to allow TLSv1.2 and TLSv1.0, TLSv1.1 is not needed, so I do not want to allow it. By luck, I found this Apache bug report about chaotic behaviour resulting from different combinations of options SSLProtocol and SSLCipherSuite: https://bz.apache.org/bugzilla/show_bug.cgi?id=60739 This is really scary: Undocumented change of behaviour, behaviour that is not reasonable/logic, nearly zero documentation of option SSLProtocol. Any explanation by the Apache devs, why SSLProtocol -all +TLSv1.2 +TLSv1 did work with Apache 2.4.7 on Ubuntu 14 but with Apache 2.4.29 on Ubuntu 18 one has to set SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1 to get TLSv1.0 protocol support? Any suggestion how I can have TLSv1.2 and TLSv1.0 support, but no TLSv1.1 support at the same time? > Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr > Von: "Hildegard Meier" <daku8...@gmx.de> > An: users@httpd.apache.org > Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 > anymore > > Hello, > > we host a website which clients still need to use the cipher > ECDHE-RSA-AES256-SHA > > with protocol "TLSv1.0" aka "TLSv1". > > With our old Apache server that worked. Spec: > Ubuntu 14.04 LTS > Apache 2.4.7-1ubuntu4.22 > OpenSSL 1.0.1f-1ubuntu2.27 > > Apache config: > SSLProtocol -all +TLSv1.2 +TLSv1 > SSLCipherSuite > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA > > sslscan shows the following cipher support of the old Apache server: > Supported Server Cipher(s): > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 > Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 > Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 > > So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0. > > Now we have a newer Apache server setup. Spec: > Ubuntu 18.04.1 LTS > Apache 2.4.29-1ubuntu4.14 > OpenSSL 1.1.1-1ubuntu2.1~18.04.9 > > The complete Apache config. is unchanged, so still: > SSLProtocol -all +TLSv1.2 +TLSv1 > SSLCipherSuite > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA > > But now sslscan shows for the new Apache server: > Supported Server Cipher(s): > Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 > Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits > Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 > Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 > > The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not > via TLSv1.0 anymore. > > How does this come? > > Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via > TLSv1.0 again? > > Thank you very much. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
