Further to my previous post, the log reports: [Sun Apr 13 03:20:08.591247 2014] [mpm_event:notice] [pid 11737:tid 140478837470976] AH00489: Apache/2.4.9 (Unix) OpenSSL/1.0.1g configured -- resuming normal operations [Sun Apr 13 03:20:08.591283 2014] [core:notice] [pid 11737:tid 140478837470976] AH00094: Command line: '/usr/apache-2.4.9/bin/httpd' BUT the libssl in use, and resulting from installing OpenSSL-1.0.1g, is libssl-1.0.0 John ========================================== On Friday 18 April 2014 13:08:12 John Iliffe wrote: > Re the version of OpenSSL, I reported this last week to this list. > > Seems that OpenSSL-1.0.1g is linked to libssl-1.0.0, not the usual > libssl-1.x.x format. > > Probably a make file error, but it really seems to be 1.0.1g. > > John > ================================= > > On Friday 18 April 2014 12:14:32 Christopher Schultz wrote: > > Igor, > > > > On 4/17/14, 8:56 PM, Igor Cicimov wrote: > > > On 18/04/2014 2:30 AM, "Hanno Böck" <hanno@xxxxxxxxx > > > > > > <mailto:hanno@xxxxxxxxx>> wrote: > > >> On Thu, 17 Apr 2014 12:27:37 -0400 > > >> Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx > > > > > > <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote: > > >> > I'm trying to enable (and prefer!) ECDHE ciphers for clients that > > >> > can > > >> > > >> > support them. I've done the obvious: > > >> [...] > > >> > > >> > I'm running httpd 2.2.23 > > >> > > >> That's your problem. Get rid of that old cruft. You'll need apache > > >> 2.4 (for that and for many other improvements regarding ssl > > >> encryption). > > > > > > No you don't i have 2.2 with latest openssl-1.0.1g on all my servers > > > and TLSv1.2 and ECDHE ciphers are supported. > > > > I checked, and even though I have the OpenSSL 1.0.1g package > > installed, it appears that httpd was compiled against OpenSSL 1.0.0. > > When I look at the start up log, it says: > > > > [Mon Apr 14 15:49:34 2014] [notice] Apache/2.2.23 (Unix) DAV/2 > > mod_jk/1.2.37 PHP/5.3.28 mod_ssl/2.2.23 OpenSSL/1.0.0-fips configured > > -- resuming normal operations > > > > On another test server, I upgraded to the latest 2.2.x httpd I can get > > from Amazon, which is 2.2.26. I re-started and still can't seem to use > > the ECDHE algorithms. > > > > On that same (second) test server I upgraded to httpd 2.4.9. Here is > > the startup log message there: > > > > [Fri Apr 18 15:53:26.330856 2014] [mpm_prefork:notice] [pid 15337] > > AH00163: Apache/2.4.9 (Amazon) OpenSSL/1.0.1e-fips PHP/5.5.10 > > mod_jk/1.2.40 configured -- resuming normal operations > > > > I'm now able to use the ECDHE ciphers. > > > > Everything appears to be dynamically-linked, so I can't understand why > > 2.2.x reports it's running with OpenSSL 1.0.0 when I clearly have > > 1.0.1 installed. This is almost certainly an Amazon-Linux-related > > thing if you were able to get ECDHE ciphers working on 2.2.x. > > > > I wonder, what does your startup string say about OpenSSL? > > > > The good news is that I really did only have to put it in my ciphers > > list. > > > > Thanks, > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|