Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [mod-ssl]

The Apache Httpd interface to OpenSSL

mod_ssl is a module for the Apache HTTPD webserver which allows it to perform SSL and TLS encryption on connections. Documentation is provided by Apache covering installation and setup for httpd 2.0 and 2.2

This tag should be used for questions around compiling, building, configuring, extending, provisioning, debugging and using mod_ssl.

For questions around building Apache modules on top of mod_ssl, or working on the code, the mod-ssl tag on StackOverflow is likely to be a better place to ask.

272 questions
8
votes
4 answers

How to Disable SSLv2 for Apache httpd

I just tested my site on https://www.ssllabs.com/ and it said SSLv2 is insecure and I should disable that along with weak Cipher Suites. How can I disable that? I tried the following but it isn’t working. Went to /etc/httpd/conf.d/ssl.conf by ftp.…
Yahoo
  • 141
  • 1
  • 1
  • 6
7
votes
2 answers

How to verify that SSL cipher order is being enforced?

I'm running Apache 2.2.31 and I'm trying to get Perfect Forward Secrecy working. Using Qualys SSL Labs shows that pretty much everything except IE is using ciphers that can use forward secrecy. I've verified that SSLHonorCipherOrder is set to on in…
Kyle
  • 215
  • 2
  • 10
7
votes
3 answers

"Server should be SSL-aware but has no certificate configured"

Ubuntu 14.04 Apache 2.4.7 w/mod_ssl I'm trying to install a (single) domain certificate. For some reason, apache does not accept it and refuses to start if the related website is enabled. Despite heavy googling, I can't make sense of the error…
pixeline
  • 658
  • 3
  • 13
  • 29
7
votes
4 answers

SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long

I am trying to install SSL certificate from a certificate authority into my httpd server in CentOS 5.x. When I configure it and start the server I am getting the following errors, [error]Init: Unable to read server certificate from file…
Abhishek
  • 403
  • 2
  • 6
  • 8
7
votes
1 answer

How does Apache interpret multiple SSLRandomSeed sources

In my Apache configuration I have these lines: SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/random SSLRandomSeed connect file:/dev/urandom 1024 How, exactly, does Apache interpret this? Does it first try builtin and then move to…
user35042
  • 2,681
  • 12
  • 34
  • 60
7
votes
8 answers

How do I disable MEDIUM and WEAK/LOW strength ciphers in Apache + mod_ssl?

A PCI Compliance scan has suggested that we disable Apache's MEDIUM and LOW/WEAK strength ciphers for security. Can someone tell me how to disable these ciphers? Apache v2.2.14 mod_ssl v2.2.14 This is what they've told us: Synopsis : The remote…
Keith Palmer Jr.
  • 1,173
  • 4
  • 16
  • 29
6
votes
1 answer

Can I use both RSA and ECC certificates in apache?

If I simply use "SSLCertificateFile" and "SSLCertificateKeyFile" twice, the certificate chain is broken for the first one. Can I use both RSA and ECC certificate which is issued from different intermediate CA certificate? ================== Update:…
lizitian
  • 61
  • 1
  • 3
6
votes
1 answer

Is it possible to allow only some client certificates in Apache to login?

In my virtual host I have something like that: SSLEngine on SSLCertificateKeyFile /etc/apache2/ssl/svn.XXXXX.me.key SSLCertificateFile /etc/apache2/ssl/svn.XXXXX.me.crt SSLProtocol all SSLCipherSuite HIGH:MEDIUM …
Ency
  • 1,231
  • 1
  • 19
  • 27
6
votes
1 answer

Upgrade openssl/mod_ssl on Mac OS X Server?

Context: I'm trying to set up an SVN server on a Mac OS X Server 10.6.7, and I'm running into the “SSL error parse tlsext” issue. I've tried changing the SSLProtocol option as described, but then I just get the "bad decompression" error. The other…
amrox
  • 133
  • 1
  • 7
5
votes
2 answers

Can I upgrade OpenSSL version used by apache without recompiling the server but just mod_ssl?

I have an Apache server on a Unix machine: Apache/2.2.29 (Unix) OpenSSL/0.9.8zg I would like to upgrade the OpenSSL version to 1.0.2, which is the version currently installed on my system: machine:/ user$ openssl version OpenSSL 1.0.2d 9 Jul…
user3019105
  • 151
  • 1
  • 1
  • 3
5
votes
1 answer

ProxyPass HTTPS to other server

I have a server frontend.example.com with public IP. It's Apache (2.4) should proxy the traffic coming for service1.example.com (DNS alias to frontend.example.com). service1.example.com is a VM on a private LAN (192.168.56.0) between the two. Now,…
cornuz
  • 437
  • 1
  • 7
  • 17
5
votes
2 answers

Authenticate with Client SSL Certificate OR basic auth

For security reasons, the authentication for a web application should be migrated to SSL client certificates. It should be possible to log in with either username/password or SSL. In addition, users from the intranet should be allowed to use the App…
Thomas Berger
  • 1,700
  • 13
  • 22
5
votes
2 answers

Why did git stop working after server disabled SSLv3?

Like most others, our repository server needs to disable SSLv3 (and v2) ASAP. However, doing so seems to break our git-clients -- at least, on RHEL5 (connections from my FreeBSD desktop work fine). Even the most recent git (2.1.2) fails, and…
Mikhail T.
  • 2,338
  • 1
  • 24
  • 55
5
votes
0 answers

Apache 2.2 fails with "unable to write 'random state'" with 2048-bit RSA key (1024-bit works fine)

I'm usually pretty good with Apache and OpenSSL, but this one has me completely baffled. I'm running Apache 2.2.22 and OpenSSL 1.0.1 on a Ubuntu 12.04 LTS Server. I have an IP-based virtual host configured, which redirects all HTTP requests to HTTPS…
Calrion
  • 570
  • 2
  • 11
5
votes
1 answer

List of SSL Cipher Support by Browser

Not really sure if this is the appropriate SE to post this to, but here it is: Is there some online reference for what SSL ciphers are supported by the various browsers? Basically, I'm interested in hardening systems by ensuring lower key lengths…
Bratchley
  • 231
  • 3
  • 15
1
2
3
18 19