You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Shariful Alam <di...@gmail.com> on 2021/10/13 00:39:06 UTC

[users@httpd] Why httpd-2.4.46 server not working with TLSv1.2?

Hello,
I have installed *apache 2.4.46* from the source code. I have also
installed *Openssl 1.1.1c* from the source code in "*/opt/openssl*"

I use the following configuration while installing apache,
========================
CFLAGS='-DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF'
LDFLAGS=-Wl,-rpath=/opt/openssl/lib ./configure --prefix=/etc/apache2
--enable-ssl --with-ssl=/opt/openssl/ --with-pcre=/usr/local/pcre
--enable-so
======================

My *httpd-ssl.conf *with the following configuration works fine with
TLSv1.3,
======================
SSLCipherSuite AES128-SHA256
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
========================

However, If I try to use TLSv1.2, I get the following error,
==============================
xxx@xxx:~$ curl -k https://10.29.2.98 -verbose --tlsv1.2 --tls-max 1.2
*   Trying 10.29.2.98:443...
* Connected to 10.29.2.98 (10.29.2.98) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, bad record mac (532):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad
record mac
=================================

I also change *httpd-ssl.conf *like the following,
=================
SSLCipherSuite AES128-SHA256
SSLHonorCipherOrder on
#SSLProtocol all -SSLv3
SSLProtocol -all +TLSv1.2
=================

but still same error,
===================
$curl -k https://10.29.2.98 -verbose
*   Trying 10.29.2.98:443...
* Connected to 10.29.2.98 (10.29.2.98) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, bad record mac (532):
* error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac
* Closing connection 0
curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad
record mac
==================

Any help, where did I make mistake?

Thanks,
Shariful Alam