Disabled TLS but SSL online analyzer finds it as enabled. Why? - ssl

In my virtual host I specified to disable TLSv1 and TLSv1.1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# OCSP Stapling, only in httpd 2.3.3 and later
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
Then I tested using https://www.ssllabs.com/ssltest/analyze.htm
Buy I anyway continue to see
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
For TLS 1.3 tests, we only support RFC 8446.
I restarted both apache2 and sshd before re-run the analizer, but nothing changes.
What am I missing?
EDIT: it's a new VM with debian 9, apache 2 and certbot, with only one virtual host, and I also disabled the default one.
Probably some config in other files are conflicting or overriding my settings, so I'll investigate.

There could be multiple reasons for this, like
You don't actually test your server configuration. This can happen if there is a SSL terminating load balancer or reverse proxy in front of your server or if your server is behind a CDN (Cloudflare, Akamai, ...).
You have multiple virtual hosts on the same IP address and port with different configurations regarding the SSLProtocol. Only one of the settings will be actually used in this case and it might not be the one you expected.
You have different configurations for IPv4 and IPv6 and made the changes only to one of these configuration.
You made the changes to parts of the configuration which take no effect.

Like state in accepted answer, the was some conflicting settings.
In my VHost config I was including
Include /etc/letsencrypt/options-ssl-apache.conf
And I setup my settings outside the vhost. So my settings take less precedence than included one.
And included one WAS NOT disabling TLSv1, for example.
Fixed the included file, all works as expected.
Thanks again #Steffen Ullrich

Related

Mutual TLS with Apache proxy to Tomcat

The setup I am working with involves an Apache server acting as a proxy to a tomcat server which serves several web applications. I have enabled mutual TLS on apache and I can successfully connect to one of my tomcat web applications and verify the client certificate. However, I want to take this one step further... At the moment in my ssl.conf I have a default HTTPS VirtualHost configuration which looks like this:
<VirtualHost *:443>
....
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
....
#other SSL options...
</VirtualHost>
In my modproxy.conf I have a configuration as follows:
ProxyPass /webApp1 https://localhost:1234/webApp1
ProxyPassReverse /webApp1 https://localhost:1234/webApp1
ProxyPass /webApp2 https://localhost:1234/webApp2
ProxyPassReverse /webApp2 https://localhost:1234/webApp2
where 1234 is the https port configured on a connector element on tomcat's server.xml file.
Let's assume that I only want mTLS for webApp1, the problem with this configuration is that I need a client cert on my browser even if I am accessing webApp2 so in other words I want to enable mTLS only for one web application. Even better, I would like to enable mTLS for a specific URL within my web application (is this even possible??), so for example I want mTLS required when someone hits https://myserver.com/webApp1/test/mtlsEndpoint but not on https://myserver.com/webApp1/test/otherEndpoint.
Is it possible to achieve this with another VirtualHost config for SSL on my ssl.conf ? I am going to test this tomorrow (trying to achieve this with another VirtualHost config that will proxy mTLS to my webApp1) but thought I should ask here as well to avoid trial and error and reinventing the wheel maybe this is easier than I am thinking ?
Yes, you just need separate SSL directives for webApp1 and webApp2. SSL directives can be configured in Apache right down to the directory level.

setting SSLv2-only Apache web server

I would like to setup an Apache web server (in a VM) which only supports ONLY SSLv2 SSLProtocol for testing purposes. Are there any instructions online for that, or could anyone guide me on that?
Thanks in advance!
go to /conf/extra/httpd-ssl.conf and find out following setting:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
you can adjust the line started with SSLCipherSuite and select protocol you want to use.

How to add SSL_RSA to SSLCipherSuite?

Really hope for some help in my problem with SSLCipherSuite... So i have this kind of virtualhost config:
<VirtualHost *:443>
DocumentRoot /home/webz/site.com
ServerName site.com
ServerAlias www.site.com
SSLProtocol -all +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite "kEDH:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+AESGCM:EECDH:EDH+AESGCM:EDH+aRSA:HIGH:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!DHE-RSA-SEED-SHA:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DH+3DES:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-DES-CBC3-SHA:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!RC4"
SSLCompression off
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/site.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/site.com.key
SSLCertificateChainFile /etc/httpd/ssl/DigiCertCA.crt
</VirtualHost>
Everything works fine also security is ok by test. (https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp)
PROBLEM: I am trying to install payment module (REDSYS) for Opencart 2. Redsys support team are not activating payment module because they ask me to add one off SSLCipherSuite below:
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
At the moment all SSLCipherSuite starts with TLS... :( So how to add one of those SSLCipherSuites with SSL_RSA... ??? Hope there is somebody who knows good SSL and will help...
According to your configuration you have such cipher suites already. For example you've included AES256-SHA which is the same as TLS_RSA_WITH_AES_256_CBC_SHA. And the SSL_ prefix instead of the TLS_ prefix is just a convention from the old times where TLS was called SSL (i.e. TLS 1.0 is in effect SSL 3.1).
It is more likely that your restriction to TLS 1.1 and TLS 1.2 causes the problem, because given that they require you to use such old ciphers and cannot even handle ECDHE ciphers might indicate that they have a very old client which is not able to speak TLS 1.1 or TLS 1.2.
Of course it might also be that you've included different ciphers in other (i.e. not shown) parts of your server configuration which take precedence. To get information what kind of ciphers your server really supports check your site with SSLLabs.
EDIT: The analysis by SSLLabs shows quite clearly that TLS_RSA_WITH_AES_256_CBC_SHA (which is the same as SSL_RSA_WITH_AES_256_CBC_SHA or AES256-SHA) is enabled on the server as requested. If my assumption is correct the real problem is that they use an old client which does not speak TLS 1.1 or TLS 1.2 yet. In this case you could change your configuration for the supported protocol versions to allow TLS 1.0 too:
SSLProtocol all -SSLv3
With this configuration TLS 1.0 and better (i.e. TLS 1.1, TLS 1.2) are supported.

Poodle vulnerability need to change SSL 3.0 to TLS

I have implemented SSL(https) in my website, but when I checked the certificate it is showing poodle vulnerability. So it suggests me that I needed to change SSL 3.0 to TLS. I am using Apache2.4. Please guide me how can I change SSL 3.0 to TLS.
Put the following in the VirtualHostconfiguration section for your site:
SSLProtocol all -SSLv2 -SSLv3
It will disable SSLv2 & SSLv3, while keeping the others (TLS 1.0+) enabled.
Apache
To disable SSLv3 on your Apache server you can configure it using the following, both in the SSL configuration section and in all SSL-enabled virtual hosts explicitly:
SSLProtocol All -SSLv2 -SSLv3

Making an exception for SSLVerifyClient require

I have apache2 httpd version 2.2.9 listening on port 443 with SSLEngine on. All URLs have SSLVerifyClient require and this works fine.
I want to make an exception for a specific URL (/ca.crt) so that my clients can download the certificate of the CA that the certificates we issue them are signed with. I try the following:
SSLVerifyClient require
Alias /ca.crt /my/ssl/certs/ca.crt
<Location /ca.crt>
SSLVerifyClient none
</Location>
My problem is that Apache only seems to want to increase the strength of the SSL client certificate requirement. If I flip the two requirements around, it works as specified. As it is configured above, Apache effectively ignores the SSLVerifyClient none directive.
What's going on? Is this a bug?
Ok, it turns out that the answer to this question is in the documentation (as it usually is!)
In per-server context [the SSLVerifyClient directive] applies to
the client authentication process used
in the standard SSL handshake when a
connection is established.
See Apache Docs - SSLVerifyClient
Basically the first SSLVerifyClient directive was in the per-server context. I made an explicit <Directory> declaration for the root directory and put the SSLClientVerify require directive in there. This did the trick.