2

I have an interesting problem with two Linux servers with Apache 2.4.9: i'm trying to disable SSL v3 and RC4 in order to block POODLE and keep SSL Labs happy. However, whenever i turn off SSL v3, i also lose TLS 1.1 and 1.2 (keeping only TLS 1.0).

Here's my Apache version:

$ apachectl -v
Server version: Apache/2.4.9 (Unix)
Server built:   Mar 24 2014 10:51:20

And OpenSSL:

$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

And Linux:

$ cat /proc/version
Linux version 2.6.32-279.11.1.el6.x86_64 (mockbuild@x86-009.build.bos.redhat.com) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Sat Sep 22 07:10:26 EDT 2012

Here's what i tried:

# TLS 1.0 only
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite MEDIUM:HIGH:!RC4

This first one is what i would expect to work, and i have used it successfully in other Apache installations. The result is TLS 1.0 only.

# SSLv3, TLS1.0, 1.1, 1.2
SSLProtocol all -SSLv2
SSLCipherSuite MEDIUM:HIGH:!RC4

This turns off RC4, and keeps TLS 1.0, 1.1 and 1.2, but SSL v3 is also enabled.

finally:

# TLS 1.2 only
SSLProtocol all 
SSLCipherSuite MEDIUM:HIGH:!RC4:!SSLv3

This combination results in TLS 1.2 only (no TLS 1.0 or 1.1, no SSL).

I'm thinking this is a bug in mod_ssl in the Apache i have. I'm curious if anyone here has seen this, and if you have found a way to have TLS 1.0, 1.1 and 1.2 enabled, but SSL disabled.

Thanks.

theglauber
  • 143
  • 7
  • You forgot to mention your Linux distribution and the origin of your Apache package. – Michael Hampton Aug 04 '15 at 17:19
  • Added Linux version. I don't know the origin of the Apache package, but it wasn't compiled from source. Probably `yum`. – theglauber Aug 04 '15 at 22:48
  • 2
    RHEL 6 did not come with that version of Apache. So that is still a question in need of an answer. – Michael Hampton Aug 04 '15 at 22:50
  • I'm sorry, I don't remember how this was fixed, and this has been over 2 years ago. I don't remember which server this was, and it probably doesn't exist anymore. I appreciate the answers, but I can't confirm them, so I'm going to close this question. – theglauber Jul 09 '18 at 14:52
  • I can't close, but flagged asking for closing. – theglauber Jul 09 '18 at 14:55

2 Answers2

1

Is the use of MEDIUM preventing TLS 1.1 and 1.2 from being enabled? Below is my config. I don't remember why I forced the cipher order. I just checked at Qualys and it shows Only TLS is enabled 1.0, 1.1, 1.2.

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
albal
  • 201
  • 3
  • 10
  • Thanks for the reply. This enabled TLS 1.0 only (no SSL, no TLS 1.1 or 1.2). I believe the cipher order is to nudge clients to use Forward Secrecy. – theglauber Aug 04 '15 at 16:05
  • I am using Scientific Linux release 6.6 (Carbon) with `Apache 2.2.15 Jul 22 2015 11:51:03` and `OpenSSL 1.0.1e-fips` – albal Aug 04 '15 at 19:13
  • @theglauber Does this post answer your question? – sebix Aug 16 '15 at 19:20
  • No. I tried the suggestion, and the result was it enabled TLS 1.0 only (no SSL, no TLS 1.1 or 1.2). I think i have a bad Apache version or build. – theglauber Aug 17 '15 at 15:41
1

You have a couple things going on here. First you are defining the transport layer security protocol versions you are going to support, secondly you are defining ciphers supported which will then be negotiated during the client hello phase of the TLS handshake.

Based on the apache documentation for 2.4 here: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

You need to define your supported TLS versions, with a line that looks like this in your vhost container: 

SSLProtocol TLSv1.1 TLSv1.2

Then you need to define your ciphers in your vhost container as well (included the below as an example):

SSLCipherSuite AES+kRSA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
frontsidebus
  • 536
  • 2
  • 7
  • Thank you for your answer. This happened almost 3 years ago, and I don't remember what the solution was. I believe that server doesn't exist anymore. – theglauber Jul 09 '18 at 14:56