Igor, On 4/17/14, 8:56 PM, Igor Cicimov wrote: > > On 18/04/2014 2:30 AM, "Hanno Böck" <hanno@xxxxxxxxx > <mailto:hanno@xxxxxxxxx>> wrote: >> >> On Thu, 17 Apr 2014 12:27:37 -0400 >> Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx > <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote: >> >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that can >> > support them. I've done the obvious: >> [...] >> > I'm running httpd 2.2.23 >> >> That's your problem. Get rid of that old cruft. You'll need apache 2.4 >> (for that and for many other improvements regarding ssl encryption). >> > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers and > TLSv1.2 and ECDHE ciphers are supported. I checked, and even though I have the OpenSSL 1.0.1g package installed, it appears that httpd was compiled against OpenSSL 1.0.0. When I look at the start up log, it says: [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2 mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured -- resuming normal operations On another test server, I upgraded to the latest 2.2.x httpd I can get from Amazon, which is 2.2.26. I re-started and still can't seem to use the ECDHE algorithms. On that same (second) test server I upgraded to httpd 2.4.9. Here is the startup log message there: [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337] AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10 mod_jk/1.2.40 configured -- resuming normal operations I'm now able to use the ECDHE ciphers. Everything appears to be dynamically-linked, so I can't understand why 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1 installed. This is almost certainly an Amazon-Linux-related thing if you were able to get ECDHE ciphers working on 2.2.x. I wonder, what does your startup string say about OpenSSL? The good news is that I really did only have to put it in my ciphers list. Thanks, -chris
Attachment:
signature.asc
Description: OpenPGP digital signature
|