Apache 2.4.7 does not accept RSA ciphers but openssl does

Question

# apachectl -version
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Jul 22 2014 14:36:38

I've got ssl.conf configured with the default SSLCipherSuite (SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5). I've also tested all sort of combinations.

I've checked the ciphers available on the host using openssl ciphers, and there are plenty of RSA ciphers.

Here are the dependencies of my mod_ssl.so:

 # locate mod_ssl.so
 /usr/lib/apache2/modules/mod_ssl.so

 # ldd `locate mod_ssl.so`
 linux-vdso.so.1 => (0x00007fffb5dfe000)
 libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x00007f915c0ba000)
 libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f915bce0000)
 [... omitted libpthread and libc ...]

Ldd on /usr/bin/openssl yields the same dependencies on libssl and libcrypto (v 1.0.0).

I cannot get a connection using the RSA cipher. I checked those using openssl s_client -connect <server>:<port> -cipher 'ANY-RSA-CIPHER'.

I also ran an analysis on https://www.ssllabs.com which confirms the openssl commands: only DSS is supported.

This is a problem as firefox 37 does not support DSS anymore, resulting in a ssl_error_no_cypher_overlap error.

Any idea?

Answer 1

I figured it out : the private key was using DSA...

Kinda stupid!

I generated another private key & self-signed certificate using RSA and... voilà!

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 [...]