I have issues when to make my apache server uses TLS1.2. I respect all recommended configuration (ssl.conf, virtuals, ciphers ...) but apache is all the time using TLS1.0. I suspect the version of openssl to be the root cause.
Environment : RHEL 7
openssl version : OpenSSL 1.0.1e-fips
Apache version : Apache/2.4.6
I have this message on browser dev tools even though configuration seems to be ok :
The connection to this site is encrypted and authenticated using TLS 1.0, ECDHE_RSA, and AES_256_CBC with HMAC-SHA1.
TLS 1.0 is obsolete. Enable TLS 1.2 or later.
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
can you help on this please ?
Make sure you have restarted apache.
And, make sure this line is added, and make sure all other SSLProtocol are commented using # at the start of the line, or removed:
SSLProtocol -all +TLSv1.2 +TLSv1.3
Or, if your version of OpenSSL doesn't support TLSv1.3:
SSLProtocol -all +TLSv1.2
I absolutely recommend you to update to the latest version of Apache (2.4.46 at the time of this post), and OpenSSL 1.1.1.
You can use SSL Labs to test your website's SSL conf.
Next:
AES_256_CBC is obsolete. Enable an AES-GCM-based cipher suite.
For the above, you can test your site on SSL Labs, and see the ciphers that are green and orange, and you can implement them by using https://testssl.sh/openssl-iana.mapping.html for help
Related
My web server cannot open a TLSv1.0/1.1 connection. Due to the need to support older client versions. Accidentally found that no matter what settings are made, TLSv1.0/1.1 connections cannot be opened, and these two always disappear and appear at the same time.
The Apache2 version I'm using now is
Server version: Apache/2.4.55
Server built: 2023-01-20T06:45:57
The OpenSSL version I'm using now is
OpenSSL 1.1.1n 15 Mar 2022
When I try to remove all configuration about cipher suite, it can support TLS1.0/1.1/1.2/1.3 connection, like this:
SSLEngine on
SSLCertificateFile "something.cer"
SSLCertificateKeyFile "something.key"
When I added the setting about SSL protocol, it also works fine.
SSLProtocol All -SSLv3 -SSLv2
At this point, my web server can provide eight TLS1.0/1.1 cipher suites, which are:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
At this time, it can also support three TLS1.3 cipher suites and about forty or fifty TLS1.2 cipher suites. When I check with Qualys SSL Labs it says "This server does not support Forward Secrecy with the reference browsers. Grade capped to B". Although supporting the old TLS protocol will also be downgraded to B, but I still try to fix the previous problem.
So I tried to add the following configuration items, then the problem came, my server no longer supports TLS1.0/1.1.
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA
SSLHonorCipherOrder On
I don't know why this happened, at first I thought it was part of the cipher suite I specified that didn't support TLS1.0. I checked one by one and found that in the TLS1.2 cipher suite list at this time, there are four of the previous eight.
Then I first tried to remove the last configuration, and my server supports TLS1.0/1.1 again. The cipher suites that appear are exactly the ones I found duplicated earlier. Then I tried to add this part again, but set SSLHonorCipherOrder off, it still works as before.
I don't understand why my server cannot support TLS1.0/1.1 when the option of server preference is turned on.
The SSLHonorCipherOrder On setting means "ensure that the server's cipher preferences are followed instead of the client's". So if the client sends a mix of cipher sets, and the server list includes non-TLS1.0/1.1 sets earlier in the list, then it'll use these (and TLS1.2) in preference. Which actually is exactly what you're looking for: if the client supports a stronger protocol, it should use it.
You can use the openssl command line tool to quickly check if the server will accept a connection that supports only TLSv1.0:
openssl s_client -connect example.com:443 -tls1
Since TLS1.3 support in OpenSSL 1.1.1 which was released on September 11th 2018, I wonder if I can get my Apache2 server to support it so my visitors can benefit from improved security and speed.
I understand that there are several ways to make this happen:
A backport of Apache which has it, but isn't it potentially insecure to run this kind of unoffical frankenware? I also cannot seem to find it.
Wait until an Apache2 version comes out that supports it and then compile it from source and install it. Unfortunately I cannot find information on when this comes out or if it already exists, and which version I should be downloading.
Adjust Apache2's config to use other openssl libraries (separately installed and compiled from source). Here, again, I cannot seem to find instructions on how to get this done.
I anticipate this question coming up pretty often in the near future so I hope to solicit an exhaustive answer for everyone who intends to support TLS1.3.
PS I'm also not sure if Apache2 uses the installed OpenSSL library or if it has its own module compiled (much the way it does with PHP)?
Starting with Apache version 2.4.36 (current one right now is 2.4.37) support for TLS1.3 has been added. In combination with OpenSSL 1.1.1 you can enable support for it at any time after updating both. In your SSL.conf you should make a few minor adjustments.
SSLProtocol -all +TLSv1.2 +TLSv1.3
#You don't have to explicitly enable it, but this can be considered secure
SSLCipherSuite EECDH+AES256-GCM:EDH+AES256-GCM:AES256+EECDH:AES256+EDH:!AES128
#these secure suites are used up to TLS1.2
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
#these suites are used for TLS1.3 only
If you don't want to specify the suites for TLS1.3 the default 3 ones
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
are used (in that order). I changed that for my config since I wanted to get rid of all AES128 suites.
If you are ok with the default setting, then basically upgrading Apache and OpenSSL is enough to get you started. Qualys SSL Test should confirm whether TLS1.3 is enabled etc.
I'm using WHM I had installed ssl certificate on my website it's working good but issue is that this tool https://www.ssllabs.com/ssltest/index.html saying > This server accepts the RC4 cipher, which is weak, I'm using apache server WHM with cPanel, Please help me in details, Thank you so much.
You will need to stop supporting RC4 ciphers to stop this warning from appearing. https://mozilla.github.io/server-side-tls/ssl-config-generator/ has a nice interface where you can plug in your Apache version, choose how flexible you want to be in terms of supporting older client (Modern vs. Intermediate vs. Old), which comes with a security tradeoff, and make the recommended changed to your Apache config file.
The relevant lines are:
SSLProtocol xxx
SSLCipherSuite xxx
SSLHonorCipherOrder on
I read on various forums regarding POODLE vulnerability in SSLv3. It is recommended to disable SSLv3 and support TLS_FALLBACK_SCSV on servers.
How to enable support of TLS_FALLBACK_SCSV on apache2.2?
Upgrade to the latest version of openssl, which automatically supports TLS-FALLBACK-SCSV. Apache will use that.
From https://www.openssl.org/news/secadv_20141015.txt :
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
Debian and other Distributions are deploying backports of the TLS-FALLBACK-SCSV update on OpenSSL.
Restart your Apache after the update.
Check your server
SSL Labs will check whether you support TLS_FALLBACK_SCSV.
Notice how https://www.ssllabs.com/ssltest/analyze.html?d=google.com&s=74.125.239.96&hideResults=on notes "TLS_FALLBACK_SCSV supported"
It shouldn't be necessary to do both; TLS_FALLBACK_SCSV is a mechanism to prevent downgrade attacks, but if your server does not allow SSLv3 (or v2) connections it is not needed (as those downgraded connections would not work)
Edit (to incorporate feedback):
Technically TLS_FALLBACK_SCSV is still useful with SSL disabled, because it helps avoid the connection being downgraded to TLS < 1.2. But this is unnecessary to defend against POODLE, since the vulnerable SSLv3 is off.
The only reason TLS_FALLBACK_SCSV is helpful against POODLE is if you need to support SSLv3 clients (really old IE versions or something). Those clients will still be vulnerable to the attack, but modern clients which support that option would be safe against the downgrade attack.
Upgrade to the latest OpenSSL package that implements TLS_FALLBACK_SCSV. Then in your Apache configuration disable SSLv3 as well.
SSLProtocol all -SSLv2 -SSLv3
This answer on the 'askubuntu' stack site goes into a lot more detail and has answers for how to configure a bunch of different servers for this.
https://askubuntu.com/questions/537196/how-do-i-patch-workaround-sslv3-poodle-vulnerability-cve-2014-3566
As far as I understand it, it's not a configuration in Apache but a behavior of openssl.
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.
https://www.openssl.org/news/secadv_20141015.txt
On Debian, you can upgrade openssl without upgrading libssl, you really want libssl to be upgraded. Apache uses libssl.
I can confirm is not need change nothing on Apache (at least for Ubuntu 14.04) I have restarted Apache after the update of openssl and TLS_FALLBACK_SCSV is working.
Put the following line in your configuration file, or replace any existing line starting with SSLProtocol:
SSLProtocol All -SSLv2 -SSLv3
Then run: $ sudo apache2ctl configtest && sudo service apache2 restart
You can test running command $ openssl s_client -connect <host>:<port> -ssl3
TLS_EMPTY_RENEGOTIATION_INFO_SCSV is the magic-word.
For more details, refer to http://www.exploresecurity.com, this is what it says:
TLS_FALLBACK_SCSV is a fake cipher suite advertised in the Client
Hello, which starts the SSL/TLS handshake. SCSV stands for “Signaling
Cipher Suite Value”. The idea of using a cipher suite as a signal is
not new: TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a way clients can
advertise that they support secure renegotiation (addressing
CVE-2009-3555)
So, finally, for a Spring-boot project with embedded Apache Server, configuration would show up something like this:
server.ssl.enabled-protocols=TLSvx,TLSvx.y....
server.ssl.protocol=TLS
server.ssl.ciphers=TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_............TLS_EMPTY_RENAGOTIATION_INFO_SCSV
server.server-header="Willi Wonka!"
PS - To see all the the Spring-boot configurations / properties, plese visit this: https://docs.spring.io
I am currently working on testing some vulnerabilities in TLS 1.0. I have created a website and hosted it on wamp server 2.4. I am using openssl to create self-signed certificates for SSL encryption ver. 1.01. But the current openssl version uses TLS 1.2 provide. I want to use TLS 1.0 rather to test some of the vulnerabilities such as BEAST attack present in TLS 1.0. I would like to know how can I modify the version so that the website now uses TLS 1.0 protocol instead.
Try reading this the manual:
Then in the \wamp\bin\apache\apachex.y.z\conf\extra\httpd-ssl.conf find this line
SSLProtocol all -SSLv2
Then change that line to only include the protocol you want to test so it is the only one that is used.