Re the version of OpenSSL, I reported this last week to this list. Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual libssl-1.x.x format. Probably a make file error, but it really seems to be 1.0.1g. John ================================= On Friday 18 April 2014 12:14:32 Christopher Schultz wrote: > Igor, > > On 4/17/14, 8:56 PM, Igor Cicimov wrote: > > On 18/04/2014 2:30 AM, "Hanno Böck" <hanno@xxxxxxxxx > > > > <mailto:hanno@xxxxxxxxx>> wrote: > >> On Thu, 17 Apr 2014 12:27:37 -0400 > >> Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx > > > > <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote: > >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that > >> > can > >> > >> > support them. I've done the obvious: > >> [...] > >> > >> > I'm running httpd 2.2.23 > >> > >> That's your problem. Get rid of that old cruft. You'll need apache > >> 2.4 (for that and for many other improvements regarding ssl > >> encryption). > > > > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers > > and TLSv1.2 and ECDHE ciphers are supported. > > I checked, and even though I have the OpenSSL 1.0.1g package installed, > it appears that httpd was compiled against OpenSSL 1.0.0. When I look at > the start up log, it says: > > [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2 > mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured -- > resuming normal operations > > On another test server, I upgraded to the latest 2.2.x httpd I can get > from Amazon, which is 2.2.26. I re-started and still can't seem to use > the ECDHE algorithms. > > On that same (second) test server I upgraded to httpd 2.4.9. Here is the > startup log message there: > > [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337] > AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10 > mod_jk/1.2.40 configured -- resuming normal operations > > I'm now able to use the ECDHE ciphers. > > Everything appears to be dynamically-linked, so I can't understand why > 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have 1.0.1 > installed. This is almost certainly an Amazon-Linux-related thing if you > were able to get ECDHE ciphers working on 2.2.x. > > I wonder, what does your startup string say about OpenSSL? > > The good news is that I really did only have to put it in my ciphers > list. > > Thanks, > -chris --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|