Re: Weird SSLProtocol issue

[Martin Knoblauch <knobi@xxxxxxxxxxxx>]

Hi,

 OK, forget the question. I found this in the OpenSSL-1.1.1 man pages

The Protocol command is fragile and deprecated; do not use it. Use MinProtocol and MaxProtocol instead. If you do use Protocol, make sure that the resulting range of enabled protocols has no "holes", e.g. if TLS 1.0 and TLS 1.2 are both enabled, make sure to also leave TLS 1.1 enabled.

Apparently this changed from 1.0.2 and I can no longer have TLSv1.0 without also enabling TLSv1.1. Time to beat up the old clients harder.

Sorry for the noise

Martin

On Wed, Oct 21, 2020 at 11:37 PM Martin Knoblauch <knobi@xxxxxxxxxxxx> wrote:

Hi,

 the setup is httpd-2.4.46 with OpenSSL-1.1.1g. The goal is to support the following SSL protocols:

TLS1.3

TLS1.2

TLS1  -- for some legacy reason

So I have specified:

SSLProtocol +TLSv1 +TLSv1.2 +TLSv1.3

Using "sslscan" I get:

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

If I use

SSLProtocol +TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3

There is the same result. I can get 1.0 only if I explicitly enable 1.1

SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3

resulting in

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   enabled
TLSv1.1   enabled
TLSv1.2   enabled
TLSv1.3   enabled

which is not what I want. So, any ideas? Am I doing something wrong?

Cheers

Martin

--

------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de

--

------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de