Thanks for the reply Aditya. The version of openssl is: openssl-3.0.7-6.el9_2.x86_64 the version of mod_ssl is: mod_ssl-2.4.53-11.el9_2.5.x86_64 The result of openssl ciphers -s -v tlsv1_3 is: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD TLS_AES_128_CCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESCCM(128) Mac=AEAD This looks like an awful short list to me (what about all the RSA'a or elliptic curve for example) BUT what I have seen in many places is that TLS v 1.3 is the only secure cipher protocol for an e-commerce server. According to SSL Labs only the following should be available: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS 256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS 128 (from a scan of our current server with the weak ciphers removed. These are the remaining strong ones). As you can see, no matches but I'm not sure how to remedy that. John ====== On Tue, 2023-11-21 at 19:01 -0800, Aditya Shastri wrote: > To answer your question to the best of my knowledge, > 1. Openssl 1.1.1 and above support TLSv1.3. These are the TLSv1.3 > ciphers Openssl 3.0 support > https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_ciphersuites.html > 2. This link says that TLSv1.3 is supported. > https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite:~:text=If%20the%20SSL%20library%20supports%20TLSv1.3 > > Can you give us the output of > $ openssl ciphers -s -v -tls1_3 > > One option to test the ciphers on your HTTPD is to change the > SSLCipherSuite to allow all ciphers and use a tool like > https://testssl.sh/ to list all the ciphers available to help > troubleshoot further. > > On Tue, Nov 21, 2023 at 12:37 PM John <john.iliffe@xxxxxxxxx> wrote: > > > > Apache won't start when https/TLS is activated although it runs fine with only http. I made the > > changes previously suggested but now httpd just doesn't start. The error from systemctl is: > > ----- > > Nov 21 15:17:51 prod02 systemd[1]: Starting The Apache HTTP Server... > > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Main process exited, code=exited, > > status=1/FAILURE > > Nov 21 15:17:51 prod02 systemd[1]: httpd.service: Failed with result 'exit-code'. > > Nov 21 15:17:51 prod02 systemd[1]: Failed to start The Apache HTTP Server. > > ----- > > and a more useful error from the Apache error log is: > > ----- > > [Tue Nov 21 15:17:51.411388 2023] [core:notice] [pid 29577:tid 29577] SELinux policy enabled; > > httpd > > running as context system_u:system_r:httpd_t:s0 > > [Tue Nov 21 15:17:51.412008 2023] [suexec:notice] [pid 29577:tid 29577] AH01232: suEXEC > > mechanism > > enabled (wrapper: /usr/sbin/suexec) > > [Tue Nov 21 15:17:51.415738 2023] [ssl:emerg] [pid 29577:tid 29577] AH01898: Unable to configure > > permitted SSL ciphers > > [Tue Nov 21 15:17:51.415748 2023] [ssl:emerg] [pid 29577:tid 29577] SSL Library Error: > > error:0A0000B9:SSL routines::no cipher match > > [Tue Nov 21 15:17:51.415751 2023] [ssl:emerg] [pid 29577:tid 29577] AH02312: Fatal error > > initialising mod_ssl, exiting. > > AH00016: Configuration Failed > > ---- > > I **think** this may be due to the fact that the default installation of Rocky has a lot of http > > config files and they all get concatenated BUT I haven't been able to figure out the > > SSLCipherSuite > > line. ssl.conf (default install) has this: > > #SSLCipherSuite PROFILE=SYSTEM > > SSLProxyCipherSuite PROFILE=SYSTEM > > but I can't find "SYSTEM" in any of Apache, OpenSSL, or Rocky docs and it isn't defined in this > > configuratiion file. > > Also included in the concatenation is the custom one for this server: > > # SSLCipherSuite HIGH: !ADH: !SSLv2: !SSLv3: !TLSv1: !RC4: !PSK: !MD5 > > SSLCipherSuite TLSv1.3 > > The first line is copied from the old (current production) server and leads to a failure to > > start > > error in the syntax immediately but best practice suggests that the second line is what I want > > anyway. Reading up on this suggests that the '!' ciphers do not appear in TLSv1.3 so not > > available > > to delete. > > > > The docs indicate that SSLCipherSuite is a per directory parameter and no conflict should be > > caused > > by it appearing in two different files. > > > > So, I have two immediate questions: > > 1. I have the default openssl installed which is version openssl-3.0.7-6.el9_2.x86_64. Is > > this adequate to provide all ciphers that are required by the cipher suite TLSv1.3? > > 2. Is there something that someone knows of by way of documentation that I haven't found > > yet? > > > > Thanks for any assistance. > > > > John > > ====== > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|