0

I'm running a server with Debian 10 and Apache Version: 2.4.38-3+deb10u3. The behaviour of different settings for SSLProtocol is puzzling. SSL has been configured to be quite secure. This setting appears to work for every client (at least no evidence of not):

    SSLProtocol -all +TLSv1.2 +TLSv1.3

It's hard to tell from the manual exactly how options can be combined, but the following appears on the face of it to be the same, and has been cited in various postings as a suggested configuration:

    SSLProtocol TLSv1.2 TLSv1.3

or

    SSLProtocol "TLSv1.2,TLSv1.3"

These also work for accessing the site with a browser. However, site checking from Alertra shows the site as failed. The diagnostic says:

    Result  Error (Connection to HTTPS service failed)
    Server Response     0 Unrecognized HTTP error

Access via web proxies also fails, so the problem isn't unique to Alertra.

In what way is the Apache behaviour different between these alternative SSLProtocol specifications, and why?

mbrampton
  • 311
  • 4
  • 12

1 Answers1

2

Further experimentation has yielded the answer. The configuration:

    SSLProtocol TLSv1.2 TLSv1.3

is taken by Apache 2.4 to mean support for only TLSv1.3. It seems that if more than one protocol is cited, only the last takes effect. Hence this specification causes any client who cannot use TLSv1.3 to fail. If more than one protocol is to be used, then all but the first must be preceded by + signs. Hence this works to provide TLSv1.2 and TLSv1.3:

    SSLProtocol TLSv1.2 +TLSv1.3

and seems the clearest way to specific exactly what is supported. It appears the same result is achieved with:

    SSLProtocol -all +TLSv1.2 +TLSv1.3

but it is less clear.

It seems a pity that Apache does not flag the first configuration above as an error, since it contains an element that is simply ignored, and thus is likely to confuse the user (as it did me!). It would also be helpful if the Apache documentation spelled out how the different options work together.

mbrampton
  • 311
  • 4
  • 12