How to force all Apache connections to use TLSv1.1 or TLSv1.2

windows-7 apache-http-server ssl openssl
13,716

Solution 1

Firstly, you need to you have TLSv1.1 & V1.2 support in OpenSSL - with your v1.0.1j, you do.

Next, is Apache V2.2.24 (or later) support for configuration items relating to SSL. In particular, to specify anything later than TLS1 (i.e. TLSv1.1 TLSv1.2) you need that later version. You have 2.4.4, so that should be okay.

Next, there is an "interaction" between the Apache configuration parameters: SSLProtocol and SSLCipherSuite.

So for your desired configuration, TLSv1.1 & TLSv1.2, you'd need something like:

SSLProtocol=All -SSLv2 -SSLV3 -TLSv1
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4

I appreciate you have a more specific cipher suite list:

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

However, when I checked with my openssl (v1.0.1 stream) I found the following pre-TLSv1.2 suites were supported:

 openssl ciphers -s -v 'EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4'

ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-SEED-SHA        SSLv3 Kx=DH       Au=RSA  Enc=SEED(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

Then checking here (section A.5), https://www.rfc-editor.org/rfc/rfc4346 I don't think any of the supported suites listed by my openssl are actually TLSv1.1 valid, so you'd only end up with TLSv1.2, when tested (say at Qualys https://www.ssllabs.com/ssltest/).

Lastly, there's the whole issue of client support - the Qualys link above is handy as it lists which type of client (down to specific Android versions, for example) would be able to connect to the submitted test server). As you are quite cipher specific, I think you're not going to risk too much by allowing TLSv1 (for which read v1.0) as well as V1.1 & V1.2, unless you know you visitor base will not include TLSv1 only capable clients.

Solution 2

To generate an automatic ssl-config file automatically, Mozilla has a ssl-config generator:

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.0&openssl=1.0.1e&hsts=yes&profile=modern

This will give a template for an Apache 2.4 server with openssl 1.0.1e version.

Hope this helps someone new to the ssl setup.

Share:
13,716

Related videos on Youtube

deltaRoot
Author by

deltaRoot

Updated on September 18, 2022

Comments

  • deltaRoot
    deltaRoot over 1 year

    I haven't been able to find a solution for this, if there is please do refer to it.

    Running:

    • Windows7 x64
    • Apache 2.4.4
    • OpenSSL 1.0.1j

    and have the following in my httpd_ssl

    SSLStrictSNIVHostCheck off  
SSLProtocol All -SSLv2 -SSLV3  
SSLCompression off  
SSLInsecureRenegotiation off  
SSLHonorCipherOrder on  

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL 
!LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

SSLUseStapling on  
SSLStaplingResponderTimeout 5  
SSLStaplingReturnResponderErrors off

    Question:

    What ever I do, I can't seem to enable TLSv1.1 & TLSv1.2.
    Ran a ServerSSLTest script and all I get is Supported versions: TLSv1.0

    What am I missing?

  • deltaRoot
    deltaRoot over 9 years
    Thank you for the answer but, I have already tried: SSLProtocol -All +TLSv1.1 +TLSv1.2 and tried it now without the bold CipherSuite, the server does not start. The CipherSuite should not cause a problem. And if i debug i get a syntax error: SSLProtocol: Illegal protocol 'TLSv1.1'
  • kronenpj
    kronenpj over 9 years
    Interesting... The documentation [1] says it should have worked. [1] httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol
  • deltaRoot
    deltaRoot over 9 years
    That is what puzzles me. Do you think Apache needs to be re-compiled?
  • kronenpj
    kronenpj over 9 years
    Not sure about Apache itself but perhaps mod_ssl. Also, you might try SSLProtocol All -SSLv2 -SSLv3 -TLSv1 instead of starting with -All
  • deltaRoot
    deltaRoot over 9 years
    Do you happen to know how the best way to compile mod_ssl or shall i open a new question? Tried that, I get "Operation Failed" and no information whatsoever through the debug
  • kronenpj
    kronenpj over 9 years
    Probably better to ask a new question for that one, but I'm still really surprised the this is giving you so much trouble. I basically just did the same sort of thing with Apache 2.4.6 / openssl 1.0.1e / mod_ssl 2.4.6 and it took everything without complaining.
  • deltaRoot
    deltaRoot over 9 years
    gonna keep at it and hopefully fix it soon enough. Thank you for your help
  • kronenpj
    kronenpj over 9 years
    You're welcome, that's why we're all here.
  • deltaRoot
    deltaRoot over 8 years
    Hello, Thank you for your answer. Nothing worked until yesterday when I got me a new ssd and clean installed my win10 on it :D

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Disabling RC4 in the SSL cipher suite of an Apache server
SSLCipherSuite settings in Apache for supporting TLS 1.0, 1.1 and 1.2
Qt & SSL, Handshake failed
Cannot connect to wss with Flutter
Apache 2 with SSL virtual host on different port 8080 or 8081 in Linux
Laravel Guzzle : curl error 77 error setting certificate verify locations
python3 and requests: still getting 'sslv3 alert handshake failure'
The identity of this website has not been verified for openssl
OpenSSL identify reason for "bad certificate"
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication