Still have messed up TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Apache won't start when https/TLS is activated although it runs fine with only http.  I made the
changes previously suggested but now httpd just doesn't start.  The error from systemctl is:
-----
Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server...
Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'.
Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server.
-----
and a more useful error from the Apache error log is:
-----
[Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd
running as context system_u:system_r:httpd_t:s0
[Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism
enabled (wrapper: /usr/sbin/suexec)
[Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure
permitted SSL ciphers
[Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error:
error:0A0000B9:SSL routines::no cipher match
[Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error
initialising mod_ssl, exiting.
AH00016: Configuration Failed
----
I **think** this may be due to the fact that the default installation of Rocky has a lot of http
config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite
line.  ssl.conf (default install) has this:
    #SSLCipherSuite PROFILE=SYSTEM
    SSLProxyCipherSuite PROFILE=SYSTEM
but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this
configuratiion file.
Also included in the concatenation is the custom one for this server:
#   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
   SSLCipherSuite TLSv1.3
The first line is copied from the old (current production) server and leads to a failure to start
error in the syntax immediately but best practice suggests that the second line is what I want
anyway.  Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available
to delete.

The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused
by it appearing in two different files.

So, I have two immediate questions:
1.	I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64.  Is
this adequate to provide all ciphers that are required by the cipher suite TLSv1.3?
2.	Is there something that someone knows of by way of documentation that I haven't found yet?

Thanks for any assistance.

John
======



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux