Hello Phil – that sounds as if when the traffic comes through the public gateway, SSL is offloading to an interim gateway device rather than at the Apache server.
Are there any interim gateway devices?
If so – do they manage SSL offloading?
Theo
From: Phil Smith [mailto:philboonz@xxxxxxxxx]
Sent: 13 July 2016 21:47
To: users@xxxxxxxxxxxxxxxx
Subject: SSLProtocol and TLSv1
I'm running Apache distributed via CentOS6:
Server: Apache/2.2.15 (CentOS)
I'm attempting to disable TLSv1.0 in ssl.conf using either of:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
or
SSLProtocol +TLSv1.1 +TLSv1.2
Either setting seems to work in disabling TLSv1 if the apache server is requested via private IP address.
However, neither seem to work in disabling TLSv1 if the apache server is requested via public IP address.
I'm using openssl to test support for tlsv1 using:
/usr/bin/openssl s_client -connect x.x.x.x:443 -tls1
When x.x.x.x is replaced with private IP address, TLSv1 is not supported.
When x.x.x.x is replaced with public IP address, TLSv1 is supported.
NAT'ing is set up properly from the private to public IP addresses that I am using to test.
openssl version is:
$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
The server is configured for IP based virtual hosts.
Does anyone have any idea why this would be happening?
Thank you.
|