Re: TLS 1.1 and 1.2 and SNI support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, May 23, 2016 at 4:39 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Mon, May 23, 2016 at 9:36 AM, linux.il <linux.il@xxxxxxxxx> wrote:
> As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users
> reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2.
> This behavior seems me really weird; unfortunately I couldn't find any
> explanation for it.
> My question is: did I miss  something? Is there any way to use SNI w/o
> TLSv1?
> We want to disable TLS 1.0, but don't want to lost SNI functionality.
>
> URLs:
> - https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first
> (default) vhost for SSL name-based virtual hosts must include TLSv1 as a
> permitted protocol"
> -
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>
> TIA,
> Vitaly
> PS: I understand that my question is not 100% on-topic but I hope it's close
> enough.


All of those references are contrasting TLSv1 with SSLv3, not with
TLSv1.2.  SNI works fine with TLSv1.0 _and later_

--
Eric Covener
covener@xxxxxxxxx

Eric,
Thank you!
For some reason if I add "-TLSv1" to SSLProtocol directive in my default  SSL vhost, SNI isn't working anymore:

 "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
 
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux