You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "linux.il" <li...@gmail.com> on 2016/05/23 13:36:33 UTC

[users@httpd] TLS 1.1 and 1.2 and SNI support

As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users
reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2.
This behavior seems me really weird; unfortunately I couldn't find any
explanation for it.
My question is: did I miss  something? Is there any way to use SNI w/o
TLSv1?
We want to disable TLS 1.0, but don't want to lost SNI functionality.

URLs:
- https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first
(default) vhost for SSL name-based virtual hosts must include TLSv1 as a
permitted protocol"
-
http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure

TIA,
Vitaly
PS: I understand that my question is not 100% on-topic but I hope it's
close enough.

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by "linux.il" <li...@gmail.com>.

On Mon, May 23, 2016 at 5:31 PM, Eric Covener <co...@gmail.com> wrote:

> On Mon, May 23, 2016 at 10:27 AM, linux.il <li...@gmail.com> wrote:
> > I'm using  the same "curl" and "wget" for testing. As far as I disable
> TLS
> > v1.0, I get "curl: (35) SSL connect error" and
> > "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
> > requested host name “my-vhost-name”"
> > in wget.
> > BTW, similar issue reported here
> >
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>
> Some context re:  your vhost configuration and certificate names would
> probably help here.
>
Sure, and thank you again.

1) httpd -S:
*:443                  is a NameVirtualHost
         default server example.co.uk
(/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
         port 443 namevhost example.co.uk
(/etc/httpd/conf.d/25-example.co.uk-https.conf:6)
                 alias www.example.co.uk
         port 443 namevhost example.com
(/etc/httpd/conf.d/25-example.com-https.conf:6)
                 alias www.example.com


2)  example.co.uk vhost:
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/uknew/example.co.uk.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/uknew/example.co.uk.key"
  SSLCertificateChainFile "/etc/httpd/certs/uknew/uk_chained"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1

3) example.com vhost
SSLEngine on
  SSLCertificateFile      "/etc/httpd/certs/new/EXAMPLE.com.crt"
  SSLCertificateKeyFile   "/etc/httpd/certs/new/server.key"
  SSLCertificateChainFile "/etc/httpd/certs/new/combundle.crt"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLProtocol             All -SSLv2 -SSLv3 -TLSv1
  SSLCipherSuite          HIGH:MEDIUM:!aNULL:!MD5:!RC4

Issue:
when default ssl vhost  config includes "-TLSv1" we have:

wget   https://example.com
--2016-05-23 17:40:29--  https://example.com/
Resolving example.com... x.x.x.x
Connecting to example.com|x.x.x.x|:443... connected.
ERROR: certificate common name “www.example.co.uk” doesn’t match requested
host name “example.com”.
To connect to example.com insecurely, use ‘--no-check-certificate’.

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by Eric Covener <co...@gmail.com>.

On Mon, May 23, 2016 at 10:27 AM, linux.il <li...@gmail.com> wrote:
> I'm using  the same "curl" and "wget" for testing. As far as I disable TLS
> v1.0, I get "curl: (35) SSL connect error" and
> "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
> requested host name “my-vhost-name”"
> in wget.
> BTW, similar issue reported here
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure

Some context re:  your vhost configuration and certificate names would
probably help here.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by "linux.il" <li...@gmail.com>.

Eric and Igor, you're right - SNI works nice with TLS1.x.
In my case it was some weird compatibility issues, not related to SNI.
Thank you very much!
Vitaly

On Tue, May 24, 2016 at 9:37 AM, linux.il <li...@gmail.com> wrote:

>
>> > On Mon, May 23, 2016 at 5:16 PM, Eric Covener <co...@gmail.com>
>> wrote:
>> >>
>> >> > For some reason if I add "-TLSv1" to SSLProtocol directive in my
>> default
>> >> > SSL vhost, SNI isn't working anymore:
>> >> >
>> >> >  "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
>> >> >
>> >>
>> >> What protocol is used? Does the client send the SNI extension?
>> >>
>> > I'm using  the same "curl" and "wget" for testing. As far as I disable
>> TLS v1.0, I get "curl: (35) SSL connect error" and
>> > "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t
>> match requested host name “my-vhost-name”"
>> > in wget.
>> > BTW, similar issue reported here
>> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>>
>>
>> You need to use sni capable client. For example use -H to set the Host
>> header for curl when trying to connect to non-default vhost.
>>
>
> Sure, agree.
> Of course, I can re-read changelogs and run sniffer, but IMHO my clients
> do support SNI  - I use the same two clients. SNI works well when server
> supports TLS 1.0, and doesn't work without TLS1.0.
>
>

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by "linux.il" <li...@gmail.com>.

>
>
> > On Mon, May 23, 2016 at 5:16 PM, Eric Covener <co...@gmail.com> wrote:
> >>
> >> > For some reason if I add "-TLSv1" to SSLProtocol directive in my
> default
> >> > SSL vhost, SNI isn't working anymore:
> >> >
> >> >  "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
> >> >
> >>
> >> What protocol is used? Does the client send the SNI extension?
> >>
> > I'm using  the same "curl" and "wget" for testing. As far as I disable
> TLS v1.0, I get "curl: (35) SSL connect error" and
> > "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
> requested host name “my-vhost-name”"
> > in wget.
> > BTW, similar issue reported here
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>
>
> You need to use sni capable client. For example use -H to set the Host
> header for curl when trying to connect to non-default vhost.
>

Sure, agree.
Of course, I can re-read changelogs and run sniffer, but IMHO my clients do
support SNI  - I use the same two clients. SNI works well when server
supports TLS 1.0, and doesn't work without TLS1.0.

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by Igor Cicimov <ic...@gmail.com>.

On 24 May 2016 12:28 am, "linux.il" <li...@gmail.com> wrote:
>
>
>
> On Mon, May 23, 2016 at 5:16 PM, Eric Covener <co...@gmail.com> wrote:
>>
>> > For some reason if I add "-TLSv1" to SSLProtocol directive in my
default
>> > SSL vhost, SNI isn't working anymore:
>> >
>> >  "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
>> >
>>
>> What protocol is used? Does the client send the SNI extension?
>>
> I'm using  the same "curl" and "wget" for testing. As far as I disable
TLS v1.0, I get "curl: (35) SSL connect error" and
> "ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
requested host name “my-vhost-name”"
> in wget.
> BTW, similar issue reported here
http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure


You need to use sni capable client. For example use -H to set the Host
header for curl when trying to connect to non-default vhost.

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by "linux.il" <li...@gmail.com>.

On Mon, May 23, 2016 at 5:16 PM, Eric Covener <co...@gmail.com> wrote:

> > For some reason if I add "-TLSv1" to SSLProtocol directive in my default
> > SSL vhost, SNI isn't working anymore:
> >
> >  "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
> >
>
> What protocol is used? Does the client send the SNI extension?
>
> I'm using  the same "curl" and "wget" for testing. As far as I disable TLS
v1.0, I get "curl: (35) SSL connect error" and
"ERROR: certificate common name “mydefault-ssl-vhost-name” doesn’t match
requested host name “my-vhost-name”"
in wget.
BTW, similar issue reported here
http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by Eric Covener <co...@gmail.com>.

> For some reason if I add "-TLSv1" to SSLProtocol directive in my default
> SSL vhost, SNI isn't working anymore:
>
>  "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"
>

What protocol is used? Does the client send the SNI extension?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by "linux.il" <li...@gmail.com>.

On Mon, May 23, 2016 at 4:39 PM, Eric Covener <co...@gmail.com> wrote:

> On Mon, May 23, 2016 at 9:36 AM, linux.il <li...@gmail.com> wrote:
> > As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users
> > reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2.
> > This behavior seems me really weird; unfortunately I couldn't find any
> > explanation for it.
> > My question is: did I miss  something? Is there any way to use SNI w/o
> > TLSv1?
> > We want to disable TLS 1.0, but don't want to lost SNI functionality.
> >
> > URLs:
> > - https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first
> > (default) vhost for SSL name-based virtual hosts must include TLSv1 as a
> > permitted protocol"
> > -
> >
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
> >
> > TIA,
> > Vitaly
> > PS: I understand that my question is not 100% on-topic but I hope it's
> close
> > enough.
>
>
> All of those references are contrasting TLSv1 with SSLv3, not with
> TLSv1.2.  SNI works fine with TLSv1.0 _and later_
>
> --
> Eric Covener
> covener@gmail.com


Eric,
Thank you!
For some reason if I add "-TLSv1" to SSLProtocol directive in my default
 SSL vhost, SNI isn't working anymore:

 "SSLProtocol             All -SSLv2 -SSLv3 -TLSv1"

Re: [users@httpd] TLS 1.1 and 1.2 and SNI support

Posted by Eric Covener <co...@gmail.com>.

On Mon, May 23, 2016 at 9:36 AM, linux.il <li...@gmail.com> wrote:
> As far as I see from my experiments (Apache 2.4.6 on RHEL7) and users
> reports, SNI needs TLS 1.0 and doesn't work with TLS1.1/1.2.
> This behavior seems me really weird; unfortunately I couldn't find any
> explanation for it.
> My question is: did I miss  something? Is there any way to use SNI w/o
> TLSv1?
> We want to disable TLS 1.0, but don't want to lost SNI functionality.
>
> URLs:
> - https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI "The first
> (default) vhost for SSL name-based virtual hosts must include TLSv1 as a
> permitted protocol"
> -
> http://serverfault.com/questions/700143/does-sni-really-require-tlsv1-insecure
>
> TIA,
> Vitaly
> PS: I understand that my question is not 100% on-topic but I hope it's close
> enough.


All of those references are contrasting TLSv1 with SSLv3, not with
TLSv1.2.  SNI works fine with TLSv1.0 _and later_

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org