Re: Still have messed up TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks for the reply Aditya.  

The version of openssl is:  openssl-3.0.7-6.el9_2.x86_64

the version of mod_ssl is:  mod_ssl-2.4.53-11.el9_2.5.x86_64

The result of openssl ciphers -s -v tlsv1_3 is: 
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any      Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(128)            Mac=AEAD
TLS_AES_128_CCM_SHA256         TLSv1.3 Kx=any      Au=any   Enc=AESCCM(128)            Mac=AEAD

This looks like an awful short list to me (what about all the RSA'a or elliptic curve for example)
BUT what I have seen in many places is that TLS v 1.3 is the only secure cipher protocol for an 
e-commerce server.  

According to SSL Labs only the following should be available:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 	256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 2048 bits   FS 	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS 	128
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 2048 bits   FS 	128

(from a scan of our current server with the weak ciphers removed.  These are the remaining strong
ones).  As you can see, no matches but I'm not sure how to remedy that.

John
======
On Tue, 2023-11-21 at 19:01 -0800, Aditya Shastri wrote:
> To answer your question to the best of my knowledge,
> 1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3
> ciphers Openssl 3.0 support
> https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html
> 2. This link says that TLSv1.3 is supported.
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3
> 
> Can you give us the output of
> $ openssl ciphers -s -v -tls1_3
> 
> One option to test the ciphers on your HTTPD is to change the
> SSLCipherSuite to allow all ciphers and use a tool like
> https://testssl.sh/ to list all the ciphers available to help
> troubleshoot further.
> 
> On Tue, Nov 21, 2023 at 12:37 PM John <john.iliffe@xxxxxxxxx> wrote:
> > 
> > Apache won't start when https/TLS is activated although it runs fine with only http.  I made the
> > changes previously suggested but now httpd just doesn't start.  The error from systemctl is:
> > -----
> > Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server...
> > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited,
> > status=1/FAILURE
> > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'.
> > Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server.
> > -----
> > and a more useful error from the Apache error log is:
> > -----
> > [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled;
> > httpd
> > running as context system_u:system_r:httpd_t:s0
> > [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC
> > mechanism
> > enabled (wrapper: /usr/sbin/suexec)
> > [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure
> > permitted SSL ciphers
> > [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error:
> > error:0A0000B9:SSL routines::no cipher match
> > [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error
> > initialising mod_ssl, exiting.
> > AH00016: Configuration Failed
> > ----
> > I **think** this may be due to the fact that the default installation of Rocky has a lot of http
> > config files and they all get concatenated BUT I haven't been able to figure out the
> > SSLCipherSuite
> > line.  ssl.conf (default install) has this:
> >     #SSLCipherSuite PROFILE=SYSTEM
> >     SSLProxyCipherSuite PROFILE=SYSTEM
> > but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this
> > configuratiion file.
> > Also included in the concatenation is the custom one for this server:
> > #   SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5
> >    SSLCipherSuite TLSv1.3
> > The first line is copied from the old (current production) server and leads to a failure to
> > start
> > error in the syntax immediately but best practice suggests that the second line is what I want
> > anyway.  Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not
> > available
> > to delete.
> > 
> > The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be
> > caused
> > by it appearing in two different files.
> > 
> > So, I have two immediate questions:
> > 1.      I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64.  Is
> > this adequate to provide all ciphers that are required by the cipher suite TLSv1.3?
> > 2.      Is there something that someone knows of by way of documentation that I haven't found
> > yet?
> > 
> > Thanks for any assistance.
> > 
> > John
> > ======
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux