RE: how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

["Chunduru, Krishnachaithanya" <Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx>]

Hi Luca,

 

Can you please let me know what details do you require for the below.

 

I’m using the below syntax to block the SSLv2 and V3.

 

SSLProtocol all -SSLv2 -SSLv3 and below is the log for it after starting the apache. Please let me know if this information is sufficient to proceed further.

 

[Fri May 05 08:23:25.650618 2017] [ssl:warn] [pid 4128986:tid 1] AH01906: XXXXX:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Fri May 05 08:23:25.650629 2017] [ssl:warn] [pid 4128986:tid 1] AH01909: XXXXX:443:0 server certificate does NOT include an ID which matches the server name

[Fri May 05 08:23:25.674714 2017] [auth_digest:notice] [pid 12452008:tid 1] AH01757: generating secret for digest authentication ...

[Fri May 05 08:23:25.677590 2017] [ssl:warn] [pid 12452008:tid 1] AH01906: XXXXX443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Fri May 05 08:23:25.677614 2017] [ssl:warn] [pid 12452008:tid 1] AH01909: XXXXX443:0 server certificate does NOT include an ID which matches the server name

[Fri May 05 08:23:25.677829 2017] [ssl:warn] [pid 12452008:tid 1] AH01906: XXXXX:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Fri May 05 08:23:25.677840 2017] [ssl:warn] [pid 12452008:tid 1] AH01909: XXXXX:443:0 server certificate does NOT include an ID which matches the server name

[Fri May 05 08:23:25.677937 2017] [lbmethod_heartbeat:notice] [pid 12452008:tid 1] AH02282: No slotmem from mod_heartmonitor

[Fri May 05 08:23:25.738129 2017] [mpm_worker:notice] [pid 12452008:tid 1] AH00292: Apache/2.4.10 (Unix) OpenSSL/0.9.8y configured -- resuming normal operations

[Fri May 05 08:23:25.738216 2017] [core:notice] [pid 12452008:tid 1] AH00094: Command line: '/opt/httpd/sbin/httpd'

 

Then I tried to block the TLSv1 using the below syntax and tried to refresh the apache.

 

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

 

While stopping it stopped without a problem, but when starting it gave “Starting Apache 2.4...” but it didn’t started.

 

-bash-4.2# ./httpd stop

Stopping Apache...

-bash-4.2# ./httpd start

Starting Apache 2.4...

httpd (pid 12452008) already running

-bash-4.2# ./httpd start

Starting Apache 2.4...

-bash-4.2# ps -ef | grep -i http

-bash-4.2#

 

And in the error_log, I could see the below errors.

 

[Fri May 05 08:31:00.620940 2017] [mpm_worker:notice] [pid 12452008:tid 1] AH00295: caught SIGTERM, shutting down

[Fri May 05 08:31:01.164809 2017] [ssl:warn] [pid 11731186:tid 1] AH01906: XXXXX:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Fri May 05 08:31:01.164851 2017] [ssl:warn] [pid 11731186:tid 1] AH01909: XXXXX:443:0 server certificate does NOT include an ID which matches the server name

[Fri May 05 08:31:01.164912 2017] [ssl:emerg] [pid 11731186:tid 1] AH02231: No SSL protocols available [hint: SSLProtocol]

[Fri May 05 08:31:01.164918 2017] [ssl:emerg] [pid 11731186:tid 1] AH02312: Fatal error initialising mod_ssl, exiting.

AH00016: Configuration Failed

 

Regards,

Krishna

 

From: Luca Toscano [mailto:toscano.luca@xxxxxxxxx]
Sent: Tuesday, May 02, 2017 2:53 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

 

Hi,

 

I'd suggest to reach out to the IRC #httpd channel on Freenode, a lot of people in there can help you quickly than a users@ email thread, especially due to the fact that your issue will require a lot of details not yet provided.

 

Luca

 

2017-05-01 15:20 GMT+02:00 Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx>:

Hi,

 

Thanks for the info.

 

I have already tried this, but was getting fatal mod_ssl error while enabling TLSv1.1 or 1.2.

 

Regards,

Krishna

 

From: K R [mailto:kp0773@xxxxxxxxx]
Sent: Saturday, April 29, 2017 9:28 AM

To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

 

https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache

 

On Wed, Apr 19, 2017 at 7:37 AM, Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx> wrote:

Hi Eric/All,

Can you please help me with the below.

Regards,
Krishna

-----Original Message-----
From: Chunduru, Krishnachaithanya [mailto:Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx]
Sent: Monday, April 17, 2017 6:34 PM
To: users@xxxxxxxxxxxxxxxx
Subject: RE: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

Hi Eric,

We used the openssl version is 1.0.1.515 while installing the Apache 2.4.10.

Regards,
Krishna

-----Original Message-----
From: Eric Covener [mailto:covener@xxxxxxxxx]
Sent: Monday, April 17, 2017 6:18 PM
To: users@xxxxxxxxxxxxxxxx
Subject: Re: [users@httpd] how to enable TLS v1.1 and TLS v1.2 alone in Apache 2.4.10 ?

On Mon, Apr 17, 2017 at 6:59 AM, Chunduru, Krishnachaithanya <Krishnachaithanya.Chunduru@xxxxxxxxxxxxxx> wrote:
> Is TLS v1.1 and v1.2 not supported in Apache 2.4.10 running with
> Openssl
> 1.0.2.1000 ? your suggestions are highly appreciated as this is
> pending in my account from long time.

It probably depends what openssl  build your httpd was built against, not just what's loaded at runtime.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

 

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.

 

This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system.