Re: Still have messed up TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



To answer your question to the best of my knowledge,
1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3
ciphers Openssl 3.0 support
https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html
2. This link says that TLSv1.3 is supported.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3

Can you give us the output of
$ openssl ciphers -s -v -tls1_3

One option to test the ciphers on your HTTPD is to change the
SSLCipherSuite to allow all ciphers and use a tool like
https://testssl.sh/ to list all the ciphers available to help
troubleshoot further.

On Tue, Nov 21, 2023 at 12:37 PM John <john.iliffe@xxxxxxxxx> wrote:
>
> Apache won't start when https/TLS is activated although it runs fine with only http.  I made the
> changes previously suggested but now httpd just doesn't start.  The error from systemctl is:
> -----
> Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server...
> Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE
> Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'.
> Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server.
> -----
> and a more useful error from the Apache error log is:
> -----
> [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; httpd
> running as context system_u:system_r:httpd_t:s0
> [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC mechanism
> enabled (wrapper: /usr/sbin/suexec)
> [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure
> permitted SSL ciphers
> [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error:
> error:0A0000B9:SSL routines::no cipher match
> [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error
> initialising mod_ssl, exiting.
> AH00016: Configuration Failed
> ----
> I **think** this may be due to the fact that the default installation of Rocky has a lot of http
> config files and they all get concatenated BUT I haven't been able to figure out the SSLCipherSuite
> line.  ssl.conf (default install) has this:
>     #SSLCipherSuite PROFILE=SYSTEM
>     SSLProxyCipherSuite PROFILE=SYSTEM
> but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this
> configuratiion file.
> Also included in the concatenation is the custom one for this server:
> #   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
>    SSLCipherSuite TLSv1.3
> The first line is copied from the old (current production) server and leads to a failure to start
> error in the syntax immediately but best practice suggests that the second line is what I want
> anyway.  Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not available
> to delete.
>
> The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be caused
> by it appearing in two different files.
>
> So, I have two immediate questions:
> 1.      I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64.  Is
> this adequate to provide all ciphers that are required by the cipher suite TLSv1.3?
> 2.      Is there something that someone knows of by way of documentation that I haven't found yet?
>
> Thanks for any assistance.
>
> John
> ======
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux