On Tue, 24 Apr 2012 20:40:30 +0100 plot.lost articulated: >On 24/04/2012 20:19, Carmel wrote: >> On Tue, 24 Apr 2012 19:46:40 +0100 >> plot.lost articulated: >> >>> Having problems making TLS connections to an instance of apache. >>> >>> The server version is: >>> Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8t >>> >>> The ssl config includes: >>> >>> SSLProtocol TLSv1 SSLv3 >>> SSLCipherSuite RC4-SHA:AES256-SHA:ALL:!ADH:!MD5:!EXP:!LOW:!NULL >>> SSLHonorCipherOrder on >>> # See >>> http://journal.paul.querna.org/articles/2010/07/10/overclocking-mod_ssl/ >>> SSLVerifyClient none >>> #SSLInsecureRenegotiation on >>> >>> >>> If I try and connect using Firefox with only TLS enabled, the >>> connection fails (get the message 'The connection to the server was >>> reset while the page was loading'). With SSLv3 enabled in Firefox, >>> the connection works fine. >>> >>> Trying using openssl command line: >>> >>> openssl s_client -connect 127.0.0.1:443 -tls1 >>> >>> gets >>> >>> CONNECTED(00000003) >>> 15265:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >>> number:s3_pkt.c:284: >>> >>> When trying with >>> >>> openssl s_client -connect 127.0.0.1:443 -sslv3 >>> >>> the connection works >>> >>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >>> Server public key is 4096 bit >>> Secure Renegotiation IS supported >>> Compression: NONE >>> Expansion: NONE >>> SSL-Session: >>> Protocol : SSLv3 >>> Cipher : DHE-RSA-AES256-SHA >>> Session-ID: >>> F86A80F46AF9AD0626B1051223C184553FC25B92AF1763E6728CAEF984C4CB58 >>> Session-ID-ctx: >>> Master-Key: >>> E0BE122F6671905DB5BBC40F874157F1A4625FC32A19AE1D67EC2255DC05DC7723A69A26A942E874C8CC219A28BB4936 >>> Key-Arg : None >>> Start Time: 1335292940 >>> Timeout : 7200 (sec) >>> >>> >>> Any clues as to why the TLS connection is not working - is there >>> some config value I am missing or have wrong? >> What version of SSL are you using? There was a problem with the >> update of "openssl-1.0.1a" that caused problems with Postfix with >> certain domains. >> >> Try this for starters: >> >> openssl s_client -connect 127.0.0.1:443 -tls1_2 >> openssl s_client -connect 127.0.0.1:443 -tls1_1 >> openssl s_client -connect 127.0.0.1:443 -tls1 >> openssl s_client -connect 127.0.0.1:443 -ssl3 >> >> Post the connect or fail results back here. >> >Command line openssl version is: > >OpenSSL 0.9.8t 18 Jan 2012 (Library: OpenSSL 0.9.8k 25 Mar 2009) > >-tls1_1 and -tls1_2 are not recognised options >-tls1 fails >-ssl3 connects fine. > >The apache httpd has been compiled against the same openssl (and is >running on the same box, ubuntu 10.04 LTS) > >Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8t I have Firefox 11.0 and Apache-2.2.22 and OpenSSL 1.0.1a installed so all of those protocols work correctly. You might want to consider updating your "openssl" to the latest version. Unfortunately, you will have to recompile everything linked against it. That can be trivial or major depending on your system. -- Carmel ✌ carmel_ny@xxxxxxxxxxx Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. __________________________________________________________________ Love is staying up all night with a sick child, or a healthy adult. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx