You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Martin Knoblauch <kn...@knobisoft.de> on 2020/10/21 21:37:13 UTC
[users@httpd] Weird SSLProtocol issue
Hi,
the setup is httpd-2.4.46 with OpenSSL-1.1.1g. The goal is to support the
following SSL protocols:
TLS1.3
TLS1.2
TLS1 -- for some legacy reason
So I have specified:
SSLProtocol +TLSv1 +TLSv1.2 +TLSv1.3
Using "sslscan" I get:
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
If I use
SSLProtocol +TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
There is the same result. I can get 1.0 only if I explicitly enable 1.1
SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3
resulting in
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 enabled
which is not what I want. So, any ideas? Am I doing something wrong?
Cheers
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
[users@httpd] Re: Weird SSLProtocol issue
Posted by Martin Knoblauch <kn...@knobisoft.de>.
Hi,
OK, forget the question. I found this in the OpenSSL-1.1.1 man pages
The *Protocol* command is fragile and deprecated; do not use it. Use
*MinProtocol* and *MaxProtocol* instead. If you do use *Protocol*, make
sure that the resulting range of enabled protocols has no "holes", e.g. if
TLS 1.0 and TLS 1.2 are both enabled, make sure to also leave TLS 1.1
enabled.
Apparently this changed from 1.0.2 and I can no longer have TLSv1.0 without
also enabling TLSv1.1. Time to beat up the old clients harder.
Sorry for the noise
Martin
On Wed, Oct 21, 2020 at 11:37 PM Martin Knoblauch <kn...@knobisoft.de>
wrote:
> Hi,
>
> the setup is httpd-2.4.46 with OpenSSL-1.1.1g. The goal is to support the
> following SSL protocols:
>
> TLS1.3
> TLS1.2
> TLS1 -- for some legacy reason
>
> So I have specified:
>
> SSLProtocol +TLSv1 +TLSv1.2 +TLSv1.3
>
> Using "sslscan" I get:
>
> SSL/TLS Protocols:
> SSLv2 disabled
> SSLv3 disabled
> TLSv1.0 disabled
> TLSv1.1 disabled
> TLSv1.2 enabled
> TLSv1.3 enabled
>
> If I use
>
> SSLProtocol +TLSv1 -TLSv1.1 +TLSv1.2 +TLSv1.3
>
> There is the same result. I can get 1.0 only if I explicitly enable 1.1
>
> SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 +TLSv1.3
>
> resulting in
>
> SSL/TLS Protocols:
> SSLv2 disabled
> SSLv3 disabled
> TLSv1.0 enabled
> TLSv1.1 enabled
> TLSv1.2 enabled
> TLSv1.3 enabled
>
> which is not what I want. So, any ideas? Am I doing something wrong?
>
> Cheers
> Martin
> --
> ------------------------------------------------------
> Martin Knoblauch
> email: k n o b i AT knobisoft DOT de
> www: http://www.knobisoft.de
>
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de