Hello, we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA with protocol "TLSv1.0" aka "TLSv1". With our old Apache server that worked. Spec: Ubuntu 14.04 LTS Apache 2.4.7-1ubuntu4.22 OpenSSL 1.0.1f-1ubuntu2.27 Apache config: SSLProtocol -all +TLSv1.2 +TLSv1 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA sslscan shows the following cipher support of the old Apache server: Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0. Now we have a newer Apache server setup. Spec: Ubuntu 18.04.1 LTS Apache 2.4.29-1ubuntu4.14 OpenSSL 1.1.1-1ubuntu2.1~18.04.9 The complete Apache config. is unchanged, so still: SSLProtocol -all +TLSv1.2 +TLSv1 SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA But now sslscan shows for the new Apache server: Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256 The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore. How does this come? Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again? Thank you very much. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|