You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hildegard Meier <da...@gmx.de> on 2021/06/02 15:29:03 UTC
[users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore
Hello,
we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
with protocol "TLSv1.0" aka "TLSv1".
With our old Apache server that worked. Spec:
Ubuntu 14.04 LTS
Apache 2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27
Apache config:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
sslscan shows the following cipher support of the old Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
Now we have a newer Apache server setup. Spec:
Ubuntu 18.04.1 LTS
Apache 2.4.29-1ubuntu4.14
OpenSSL 1.1.1-1ubuntu2.1~18.04.9
The complete Apache config. is unchanged, so still:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
But now sslscan shows for the new Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
How does this come?
Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
Thank you very much.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1
anymore
Posted by Hildegard Meier <da...@gmx.de>.
When changing
SSLProtocol -all +TLSv1.2 +TLSv1
to
SSLProtocol -all +TLSv1
then TLSv1.0 support is there:
sslscan gives:
Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits AES256-SHA
So this seems to be an issue of protocol preference in Apache?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1
anymore
Posted by Hildegard Meier <da...@gmx.de>.
P.S.
OpenSSL seems to offer the cipher ECDHE-RSA-AES256-SHA via TLSv1 on the new server (Ubuntu 18):
openssl ciphers -v -s -tls1 | grep '^ECDHE-RSA-AES256-SHA '
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: [users@httpd] Newer Apache does not offer TLS cipher with
TLSv1 anymore
Posted by Hildegard Meier <da...@gmx.de>.
Thanks for your answer, Stefan.
So I would suggest to make the documentation of SSLProtocol clear like this:
"
You need to name the 'highest' protocol and the 'lowest' protocol, and all protocols in between them, without gap.
E.g. if You want to support TLSv1.2 and TLSv1.0, you need to set
SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
If you would only set
SSLProtocol -all +TLSv1.2 +TLSv1
Apache would stop at TLSv1.2 because there is a gap in the protocol list, and only support TLSv1.2
If you only want to support TLSv1.2, you would set
SSLProtocol TLSv1.2
"
I mean, this is weird, but if it is really like so, you should be brave and document this weirdness like it is, or fix it.
How could the useres figure this behaviour out otherwise? It took me hours to find the solution, and only by guessing and trying.
> I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0.
>
> In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use.
>
> In Apache, the configuration handling needed to accomodate for that and the implementation looks for the "highest" protocol and then scans "downward". If a protocol is not listed, it basically stops. I am not sure why this decision was taken, but it seems that one wanted to avoid enabling a protocol that was not configured.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1
anymore
Posted by Stefan Eissing <st...@greenbytes.de>.
Hildegard,
I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0.
In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use.
In Apache, the configuration handling needed to accomodate for that and the implementation looks for the "highest" protocol and then scans "downward". If a protocol is not listed, it basically stops. I am not sure why this decision was taken, but it seems that one wanted to avoid enabling a protocol that was not configured.
I believe the documentation could be clearer on this. As a token of our good intentions, please see a <https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol> that since Apache 2.4.42 one can configure different protocols for all VirtualHost. So if you need TLSv1 only on a particular host, you can disable it on all others.
Hope this helps,
Stefan
> Am 04.06.2021 um 06:17 schrieb Hildegard Meier <da...@gmx.de>:
>
> Solution to have TLSv1.2 and TLSv1.0 support together again with Apache 2.4.29 on Ubuntu 18:
>
> Changing
>
> SSLProtocol -all +TLSv1.2 +TLSv1
>
> to
>
> SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
>
> This gives the following sslscan output:
>
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits AES256-SHA
> Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.1 256 bits AES256-SHA
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.0 256 bits AES256-SHA
>
> and connection with all three protocols with curl works, also from the old client which is not TLSv1.2 capable.
>
> But I want only to allow TLSv1.2 and TLSv1.0, TLSv1.1 is not needed, so I do not want to allow it.
>
> By luck, I found this Apache bug report about chaotic behaviour resulting from different combinations of options SSLProtocol and SSLCipherSuite:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
>
> This is really scary: Undocumented change of behaviour, behaviour that is not reasonable/logic, nearly zero documentation of option SSLProtocol.
>
> Any explanation by the Apache devs, why
> SSLProtocol -all +TLSv1.2 +TLSv1
> did work with Apache 2.4.7 on Ubuntu 14
>
> but with Apache 2.4.29 on Ubuntu 18 one has to set
> SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
> to get TLSv1.0 protocol support?
>
> Any suggestion how I can have TLSv1.2 and TLSv1.0 support, but no TLSv1.1 support at the same time?
>
>
>> Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr
>> Von: "Hildegard Meier" <da...@gmx.de>
>> An: users@httpd.apache.org
>> Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore
>>
>> Hello,
>>
>> we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
>>
>> with protocol "TLSv1.0" aka "TLSv1".
>>
>> With our old Apache server that worked. Spec:
>> Ubuntu 14.04 LTS
>> Apache 2.4.7-1ubuntu4.22
>> OpenSSL 1.0.1f-1ubuntu2.27
>>
>> Apache config:
>> SSLProtocol -all +TLSv1.2 +TLSv1
>> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>>
>> sslscan shows the following cipher support of the old Apache server:
>> Supported Server Cipher(s):
>> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
>> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>>
>> So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
>>
>> Now we have a newer Apache server setup. Spec:
>> Ubuntu 18.04.1 LTS
>> Apache 2.4.29-1ubuntu4.14
>> OpenSSL 1.1.1-1ubuntu2.1~18.04.9
>>
>> The complete Apache config. is unchanged, so still:
>> SSLProtocol -all +TLSv1.2 +TLSv1
>> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>>
>> But now sslscan shows for the new Apache server:
>> Supported Server Cipher(s):
>> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
>> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>>
>> The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
>>
>> How does this come?
>>
>> Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
>>
>> Thank you very much.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1
anymore
Posted by Hildegard Meier <da...@gmx.de>.
Solution to have TLSv1.2 and TLSv1.0 support together again with Apache 2.4.29 on Ubuntu 18:
Changing
SSLProtocol -all +TLSv1.2 +TLSv1
to
SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
This gives the following sslscan output:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits AES256-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits AES256-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits AES256-SHA
and connection with all three protocols with curl works, also from the old client which is not TLSv1.2 capable.
But I want only to allow TLSv1.2 and TLSv1.0, TLSv1.1 is not needed, so I do not want to allow it.
By luck, I found this Apache bug report about chaotic behaviour resulting from different combinations of options SSLProtocol and SSLCipherSuite:
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
This is really scary: Undocumented change of behaviour, behaviour that is not reasonable/logic, nearly zero documentation of option SSLProtocol.
Any explanation by the Apache devs, why
SSLProtocol -all +TLSv1.2 +TLSv1
did work with Apache 2.4.7 on Ubuntu 14
but with Apache 2.4.29 on Ubuntu 18 one has to set
SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
to get TLSv1.0 protocol support?
Any suggestion how I can have TLSv1.2 and TLSv1.0 support, but no TLSv1.1 support at the same time?
> Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr
> Von: "Hildegard Meier" <da...@gmx.de>
> An: users@httpd.apache.org
> Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore
>
> Hello,
>
> we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
>
> with protocol "TLSv1.0" aka "TLSv1".
>
> With our old Apache server that worked. Spec:
> Ubuntu 14.04 LTS
> Apache 2.4.7-1ubuntu4.22
> OpenSSL 1.0.1f-1ubuntu2.27
>
> Apache config:
> SSLProtocol -all +TLSv1.2 +TLSv1
> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>
> sslscan shows the following cipher support of the old Apache server:
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>
> So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
>
> Now we have a newer Apache server setup. Spec:
> Ubuntu 18.04.1 LTS
> Apache 2.4.29-1ubuntu4.14
> OpenSSL 1.1.1-1ubuntu2.1~18.04.9
>
> The complete Apache config. is unchanged, so still:
> SSLProtocol -all +TLSv1.2 +TLSv1
> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>
> But now sslscan shows for the new Apache server:
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>
> The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
>
> How does this come?
>
> Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
>
> Thank you very much.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org