Newer Apache does not offer TLS cipher with TLSv1 anymore

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA

with protocol "TLSv1.0" aka "TLSv1".

With our old Apache server that worked. Spec:
Ubuntu  14.04 LTS
Apache  2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27

Apache config:
SSLProtocol                 -all +TLSv1.2 +TLSv1
SSLCipherSuite              ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA

sslscan shows the following cipher support of the old Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256
Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256

So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.

Now we have a newer Apache server setup. Spec:
Ubuntu  18.04.1 LTS
Apache  2.4.29-1ubuntu4.14
OpenSSL 1.1.1-1ubuntu2.1~18.04.9

The complete Apache config. is unchanged, so still:
SSLProtocol                 -all +TLSv1.2 +TLSv1
SSLCipherSuite              ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA

But now sslscan shows for the new Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256 DHE 256

The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.

How does this come?

Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?

Thank you very much.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux