Re: apache 2.4.10 sslv3 not offering when tls is enabled (Apache Users)

Just tried a fresh install

allowed all ciphers (just for testing)

with

$
# options.
# Enable only secure ciphers:
SSLCipherSuite ALL:!aNULL

# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
SSLHonorCipherOrder on

# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
#SSLProtocol all -SSLv3
#SSLProtocol SSLv3
SSLProtocol SSLv3 +all

Where

SSLProtocol all -SSLv3 ==> logically only TLS
#SSLProtocol SSLv3 ==> logaically only SSLv3
SSLProtocol SSLv3 +all ==> only TLS :-( tried all combinations

:-(

Hide details for Sven Crul ---10/02/2017 10:10:28---at this moment i have this But i had everything :-p

Sven Crul ---10/02/2017 10:10:28---at this moment i have this But i had everything :-p

From: Sven Crul <Sven.Crul@xxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Date: 10/02/2017 10:10
Subject: Re: apache 2.4.10 sslv3 not offering when tls is enabled

at this moment i have this

But i had everything :-p

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:ALL:!aNULL
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
# Clients may prefer lower grade encryption. You should enable this
# option if you want to enforce stronger encryption, and can afford
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
SSLHonorCipherOrder on

# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
# SSL v2 is no longer supported
#SSLProtocol -all +TLSv1 +SSLv3
SSLProtocol SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

Daniel ---10/02/2017 10:00:54---do you change SSLCipherSuite?, show us which one you have 2017-02-10 9:29 GMT+01:00 Sven Crul <Sven.

Daniel ---10/02/2017 10:00:54---do you change SSLCipherSuite?, show us which one you have 2017-02-10 9:29 GMT+01:00 Sven Crul <Sven.

From: Daniel <dferradal@xxxxxxxxx>
To: "<users@xxxxxxxxxxxxxxxx>" <users@xxxxxxxxxxxxxxxx>
Date: 10/02/2017 10:00
Subject: Re: apache 2.4.10 sslv3 not offering when tls is enabled

do you change SSLCipherSuite?, show us which one you have

2017-02-10 9:29 GMT+01:00 Sven Crul <Sven.Crul@xxxxxxxxxxx>:

Hi,

First off all Thanks , like already said I tried about everything :-( nevertheless i tried all of them again ... without success.

I cannot get the server to offer SSLV3 when TLS is enabled (Any TLS ) when I do ssl protocol SSLv3 then sslv3 works but from the moment I add TLS , SSLv3 no longer works

Sven

Mitchell Krog Photography ---10/02/2017 08:26:09---Your SSL config for Apache 2.4.10 should be as follows <VirtualHost *:443>
Mitchell Krog Photography ---10/02/2017 08:26:09---Your SSL config for Apache 2.4.10 should be as follows <VirtualHost *:443>

From: Mitchell Krog Photography <mitchellkrog@xxxxxxxxx>
To: Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx>, users@xxxxxxxxxxxxxxxx
Date: 10/02/2017 08:26
Subject: Re: apache 2.4.10 sslv3 not offering when tls is enabled

Your SSL config for Apache 2.4.10 should be as follows

<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile /path/to/signed_certificate_followed_by_intermediate_certs
SSLCertificateKeyFile /path/to/private/key

# Uncomment the following directive when using client certificate authentication
#SSLCACertificateFile /path/to/ca_certs_for_client_authentication

# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
...
</VirtualHost>

# intermediate configuration, tweak to your needs
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off

# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

Always check with >

https://mozilla.github.io/server-side-tls/ssl-config-generator/

From: Christopher Schultz

<chris@xxxxxxxxxxxxxxxxxxxxxx>

Reply:

users@xxxxxxxxxxxxxxxx

<users@xxxxxxxxxxxxxxxx>

Date: 10 February 2017 at 12:15:30 AM
To:

users@xxxxxxxxxxxxxxxx

<users@xxxxxxxxxxxxxxxx>

Subject: Re: apache 2.4.10 sslv3 not offering when tls is enabled

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Daniel,

On 2/9/17 4:53 PM, Daniel wrote:
> Try manually:
>
> SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2

And, please, for the love of god, add these, too:

SSLHonorServerOrder On
SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3

This will cause "better" ciphers to be preferred over the lesser ones.
Don't forget to eliminate the insecure ones like EXPORT, MD5, DES,
RC4, etc.

A typical cipher string I might use looks like this:

SSLCipherSuite
!aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH
A384:AES128-GCM-SHA256:HIGH

- -chris

> 2017-02-09 17:30 GMT+01:00 Sven Crul <

Sven.Crul@xxxxxxxxxxx

> <mailto:

Sven.Crul@xxxxxxxxxxx

>>:
>
> Hi,
>
>
> I switch to debian with apache 2.4.10 where I need sslv3 for
> backwards compatibility with some OLD clients
>
> I use openssl 1.0.1t (latest stable for debian)
>
>
> with the settings "sslprotocol all" in ssl.conf sslv3 is not
> offered
>
> with the setting "sslprotocol sslv3" in ssl.conf it works but
> unfortunately without tls (I need TLS also)
>
>
> I must be the only one who has this problem because can't find
> anything about it anywhere, and I tried about anything there is
>
>
> sslprotocol all +sslv3 ... etc nothing works
>
>
> Anybody has an idea
>
>
> THX!!!!!
>
> Sven
>
>
>
>
>
>
> -- *Daniel Ferradal* IT Specialist
>
> email dferradal at

gmail.com

http://gmail.com

> linkedin
>

es.linkedin.com/in/danielferradal

> <

http://es.linkedin.com/in/danielferradal

>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools -

http://gpgtools.org

Comment: Using GnuPG with Thunderbird -

http://www.enigmail.net/

iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw
LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ
gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE
NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63
2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q
wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK
GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF
lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW
Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED
g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn
ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR
43zsMR858V8ZOZThX0s7
=/YOD
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail:

users-unsubscribe@xxxxxxxxxxxxxxxx

For additional commands, e-mail:

users-help@xxxxxxxxxxxxxxxx

--
Daniel Ferradal
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal