You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Phil Smith <ph...@gmail.com> on 2016/07/13 20:46:43 UTC
[users@httpd] SSLProtocol and TLSv1
I'm running Apache distributed via CentOS6:
Server: Apache/2.2.15 (CentOS)
I'm attempting to disable TLSv1.0 in ssl.conf using either of:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
or
SSLProtocol +TLSv1.1 +TLSv1.2
Either setting seems to work in disabling TLSv1 if the apache server is
requested via private IP address.
However, neither seem to work in disabling TLSv1 if the apache server is
requested via public IP address.
I'm using openssl to test support for tlsv1 using:
/usr/bin/openssl s_client -connect x.x.x.x:443 -tls1
When x.x.x.x is replaced with private IP address, TLSv1 is not supported.
When x.x.x.x is replaced with public IP address, TLSv1 is supported.
NAT'ing is set up properly from the private to public IP addresses that I
am using to test.
openssl version is:
$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
The server is configured for IP based virtual hosts.
Does anyone have any idea why this would be happening?
Thank you.
Re: [users@httpd] SSLProtocol and TLSv1
Posted by Phil Smith <ph...@gmail.com>.
Yes, thank you. There is a web app firewall in front of the apache server
on the public side, so the allowed protocol versions need to be applied to
the web app firewall, as well.
That explains why setting SSLProtocol affected the server when connecting
directly to it via private IP address. The public IP address first goes
through the web app firewall.
On Thu, Jul 14, 2016 at 3:13 AM, Theo Sweeny <th...@madgex.com> wrote:
> Hello Phil – that sounds as if when the traffic comes through the public
> gateway, SSL is offloading to an interim gateway device rather than at the
> Apache server.
>
>
>
> Are there any interim gateway devices?
>
>
>
> If so – do they manage SSL offloading?
>
>
>
> Theo
>
>
>
> *From:* Phil Smith [mailto:philboonz@gmail.com]
> *Sent:* 13 July 2016 21:47
> *To:* users@httpd.apache.org
> *Subject:* [users@httpd] SSLProtocol and TLSv1
>
>
>
> I'm running Apache distributed via CentOS6:
>
> Server: Apache/2.2.15 (CentOS)
>
>
>
> I'm attempting to disable TLSv1.0 in ssl.conf using either of:
>
>
>
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1
>
> or
>
> SSLProtocol +TLSv1.1 +TLSv1.2
>
>
>
> Either setting seems to work in disabling TLSv1 if the apache server is
> requested via private IP address.
>
>
>
> However, neither seem to work in disabling TLSv1 if the apache server is
> requested via public IP address.
>
>
>
> I'm using openssl to test support for tlsv1 using:
>
> /usr/bin/openssl s_client -connect x.x.x.x:443 -tls1
>
>
>
> When x.x.x.x is replaced with private IP address, TLSv1 is not supported.
>
> When x.x.x.x is replaced with public IP address, TLSv1 is supported.
>
>
>
> NAT'ing is set up properly from the private to public IP addresses that I
> am using to test.
>
>
>
> openssl version is:
>
> $ openssl version -a
>
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
>
>
> The server is configured for IP based virtual hosts.
>
>
>
> Does anyone have any idea why this would be happening?
>
>
>
> Thank you.
>
RE: [users@httpd] SSLProtocol and TLSv1
Posted by Theo Sweeny <th...@madgex.com>.
Hello Phil – that sounds as if when the traffic comes through the public gateway, SSL is offloading to an interim gateway device rather than at the Apache server.
Are there any interim gateway devices?
If so – do they manage SSL offloading?
Theo
From: Phil Smith [mailto:philboonz@gmail.com]
Sent: 13 July 2016 21:47
To: users@httpd.apache.org
Subject: [users@httpd] SSLProtocol and TLSv1
I'm running Apache distributed via CentOS6:
Server: Apache/2.2.15 (CentOS)
I'm attempting to disable TLSv1.0 in ssl.conf using either of:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
or
SSLProtocol +TLSv1.1 +TLSv1.2
Either setting seems to work in disabling TLSv1 if the apache server is requested via private IP address.
However, neither seem to work in disabling TLSv1 if the apache server is requested via public IP address.
I'm using openssl to test support for tlsv1 using:
/usr/bin/openssl s_client -connect x.x.x.x:443 -tls1
When x.x.x.x is replaced with private IP address, TLSv1 is not supported.
When x.x.x.x is replaced with public IP address, TLSv1 is supported.
NAT'ing is set up properly from the private to public IP addresses that I am using to test.
openssl version is:
$ openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
The server is configured for IP based virtual hosts.
Does anyone have any idea why this would be happening?
Thank you.
Re: [users@httpd] SSLProtocol and TLSv1
Posted by Rajesh Tammineni <rc...@gmail.com>.
Check if there is any load balancer to your public ip. If it is then you need to check the SSL settings on load balancer side.
Thanks
Raj
> On 14 Jul 2016, at 4:53 AM, Phil Smith <ph...@gmail.com> wrote:
>
> No. SSLProtocol is configured properly for each VirtualHost section including the default.
>
>> On Wed, Jul 13, 2016 at 4:48 PM, Eric Covener <co...@gmail.com> wrote:
>> On Wed, Jul 13, 2016 at 4:46 PM, Phil Smith <ph...@gmail.com> wrote:
>> > Either setting seems to work in disabling TLSv1 if the apache server is
>> > requested via private IP address.
>> >
>> > However, neither seem to work in disabling TLSv1 if the apache server is
>> > requested via public IP address.
>>
>>
>> Maybe you have SSL enabled in two scopes (global, virtualhost) but
>> only SSLProtocol in one of them?
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] SSLProtocol and TLSv1
Posted by Frank Gingras <th...@apache.org>.
That won't work. You must define it in the global scope.
If you have several ssl vhosts and only set SSLProtocol in the vhost
context, the value from the first vhost would take precedence.
On Wed, Jul 13, 2016 at 4:53 PM, Phil Smith <ph...@gmail.com> wrote:
> No. SSLProtocol is configured properly for each VirtualHost section
> including the default.
>
> On Wed, Jul 13, 2016 at 4:48 PM, Eric Covener <co...@gmail.com> wrote:
>
>> On Wed, Jul 13, 2016 at 4:46 PM, Phil Smith <ph...@gmail.com> wrote:
>> > Either setting seems to work in disabling TLSv1 if the apache server is
>> > requested via private IP address.
>> >
>> > However, neither seem to work in disabling TLSv1 if the apache server is
>> > requested via public IP address.
>>
>>
>> Maybe you have SSL enabled in two scopes (global, virtualhost) but
>> only SSLProtocol in one of them?
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] SSLProtocol and TLSv1
Posted by Phil Smith <ph...@gmail.com>.
No. SSLProtocol is configured properly for each VirtualHost section
including the default.
On Wed, Jul 13, 2016 at 4:48 PM, Eric Covener <co...@gmail.com> wrote:
> On Wed, Jul 13, 2016 at 4:46 PM, Phil Smith <ph...@gmail.com> wrote:
> > Either setting seems to work in disabling TLSv1 if the apache server is
> > requested via private IP address.
> >
> > However, neither seem to work in disabling TLSv1 if the apache server is
> > requested via public IP address.
>
>
> Maybe you have SSL enabled in two scopes (global, virtualhost) but
> only SSLProtocol in one of them?
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
RE: [users@httpd] SSLProtocol and TLSv1
Posted by "Houser, Rick" <ri...@jackson.com>.
I noticed you are running an older version of Apache via RHEL, and guessed that you are likely in a corporate environment. You might also have a MITM attack going on. Lots of corporations mess with traffic via MITM proxies that intercept traffic, redirects, etc. If you don't find the solution quickly, I suggest checking the TLS endpoint to make sure you are actually talking to your server directly (check that the certs match, etc., not just the name on them).
Rick Houser
Web Administration
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Wednesday, July 13, 2016 16:49
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] SSLProtocol and TLSv1
>
> On Wed, Jul 13, 2016 at 4:46 PM, Phil Smith <ph...@gmail.com> wrote:
> > Either setting seems to work in disabling TLSv1 if the apache server is
> > requested via private IP address.
> >
> > However, neither seem to work in disabling TLSv1 if the apache server is
> > requested via public IP address.
>
>
> Maybe you have SSL enabled in two scopes (global, virtualhost) but
> only SSLProtocol in one of them?
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLProtocol and TLSv1
Posted by Eric Covener <co...@gmail.com>.
On Wed, Jul 13, 2016 at 4:46 PM, Phil Smith <ph...@gmail.com> wrote:
> Either setting seems to work in disabling TLSv1 if the apache server is
> requested via private IP address.
>
> However, neither seem to work in disabling TLSv1 if the apache server is
> requested via public IP address.
Maybe you have SSL enabled in two scopes (global, virtualhost) but
only SSLProtocol in one of them?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org