Re: mod_ssl: http to https ErrorDocument redirect stops working when only TLSv1.2 specified

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Check your Openssl ciphers to see if it supports TLS 1.2
Try:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite  HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH

# openssl ciphers -tls1

On Wed, Jun 23, 2021 at 4:53 PM Pavel Heimlich, a.k.a. hajma <tropikhajma@xxxxxxxxx> wrote:
Hi,
I use
ErrorDocument 400 "https://myserver:215"
to achieve redirection to secure connection for anyone who would access my server with just 'http://myserver:215'.

This works as long as there's
SSLProtocol TLSv1.1 +TLSv1.2
specified in the configuration. However when I change that to just
SSLProtocol TLSv1.2
it stops working and the client gets "The connection was reset
The connection to the server was reset while the page was loading."
in their browser.

I guess this is because Apache calls different OpenSSL functions based on the config setting at
https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643
or
https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649

and I am not sure if this is something that could be dealt with within Apache.
Would you consider this worth logging a bug?
Or would there be another way to achieve this?

Thanks!
P.

P.S.:
This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0
My simplified config below:

ServerRoot "/usr/apache2/2.4"

Listen 215

<IfDefine prefork>
LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so
</IfDefine>
<IfDefine worker>
LoadModule mpm_worker_module libexec/mod_mpm_worker.so
</IfDefine>
<IfDefine !prefork>
<IfDefine !worker>
LoadModule mpm_event_module libexec/mod_mpm_event.so
</IfDefine>
</IfDefine>

LoadModule ssl_module libexec/mod_ssl-fips-140.so
LoadModule authz_core_module libexec/mod_authz_core.so
LoadModule unixd_module libexec/mod_unixd.so

<IfModule unixd_module>
User webservd
Group webservd

</IfModule>


ServerName 127.0.0.1

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/apache2/2.4/htdocs"
<Directory "/var/apache2/2.4/htdocs">
    Options Indexes FollowSymLinks

    AllowOverride None

    Require all granted
</Directory>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "/var/apache2/2.4/logs/error_log"

LogLevel warn

<Directory "/var/apache2/2.4/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SSLEngine               on
SSLProtocol TLSv1.1 +TLSv1.2
SSLCertificateFile /etc/certs/localhost/host.crt
SSLCertificateKeyFile /etc/certs/localhost/host.key
SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
ErrorDocument 400 "https://myserver:215"
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux