Unable to disable TLSv1/TLSv1.1 in Apache 2.4.18 - ssl

A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed. Any help appreciated!

Edit vhost/site.conf
for me its works
<IfModule mod_ssl.c>
<VirtualHost *:443>
######################################################
# support old Android phones
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
# Force using custom cipher list
SSLHonorCipherOrder on
Define sslCiphers -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW
Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLCipherSuite ${sslCiphers}

Related

Disabling TLS1.0 in mod_proxy

We are using apache http server 2.2.29 and jboss 6.4.
We are using Mod proxy for communication between web server and jboss application server.
We are planning to disable TLSv1.0 in mod proxy configuration. After disabling tlsv1.0, the mod_proxy's ssl configuration looks like below.
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ALL:HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /app/certificates/star_rpmi.cer
SSLCertificateKeyFile /app/certificates/rpmi.key
SSLProxyMachineCertificateFile /app/jboss.keystore
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1
However, once we disable the tlsv1.0, the communication between mod proxy and jboss application server fails.
In apache's debug logs, we have found that the ciphers suits being negotiated is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
This cipher suit have been added in jboss application server configuration file as well. However, the connection is still failing.
What could be the reason behind this?

Apache 2.4 SSL Config

I've got a question regarding ssl config for apache 2.4. I got the following ssl settings for my vhost. There are more than 1 Directory but the config is mostly the same, only IPs are different. If I active the the three commented lines the apache should check the requests against the cert and not just pass the request through, correct? I assume the apache breakts the encryption for all requests from the internet and re-encrypts again to pass the request on. Am I right? Is there a way to not break the encryption and just delegate the cert checks to the next system?
RequestHeader set ClientProtocol HTTPS
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLProxyEngine On
SSLProxyProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
SSLCertificateFile /path/to/file.crt
SSLCertificateKeyFile /path/to/file.key
<Directory /folder-name>
#SSLVerifyClient optional_no_ca
#SSLVerifyDepth 1
#SSLOptions +OptRenegotiate +ExportCertData
ProxyPass https://10.20.30.40:8443/
ProxyPassReverse https://10.20.30.40:8443/
</Directory>
Thanks for your help guys and regards. Sebastian
Yes, this Apache acting as a proxy terminates SSL. It then makes or reuses a pooled SSL connection to the backend.
There's no way to truly let the backend think it's handshaking with the client unless it accessed apache as a forward proxy using the mod_proxy_connect module.
Some application servers accept the body of the client certificate in a proprietary header, making that identity available in the backend server. But they are not actually authenticating it in the handshake like the proxy/apache has done.

How to change Apache 2.4 configuration from SSL support to TLS

I have Apache 2.4 installed on Windows Server 2008 R2 (not using IIS) I currently have SSL enabled with a 2048 cert.
How can I change Apache to switch from using SSL to using TLS?
Thank you
You can change SSLProtocol directive in your httpd-ssl.conf file as below
SSLProtocol all -SSLv3
More details can be found here
UPDATE
SSLEngine on
SSLProtocol all -SSLv3

Please provide an Apache SSLCipherSuite that will pass a PCI Compliance Scan

I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.
I then changed to...
SSLProtocol -ALL +SSLv3 +TLSv1
and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.
It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.
If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.
Thanks.
As new vulnerabilities are discovered and browsers are upgraded, the answers here can (will) become outdated. I'd suggest you rely on Mozilla SSL Configuration Generator to check which configuration you should use.
UPDATE 2018: It's reasonable to enforce Perfect Forward Secrecy now, unless you need to support older browsers specifically. As of November 2018, only the "modern" profile will enable Perfect Forward Secrecy. Read more about it at:
SSL Labs: Deploying Forward Secrecy
Configuring Apache, Nginx, and OpenSSL for Forward Secrecy
After hours of searching and hair pulling I found my problem.
The default SSLProtocol and SSLCipherSuite directives in my ssl.conf are stored in a default container labeled as <VirtualHost _default_:443>.
My actual site has it's own container labeled with it's IP address eg: <VirtualHost 64.34.119.12:443>. Changing the values in the _default_ container had no affect but adding the stronger SSLProtocol and SSLCipherSuite directives directly to the site specific VirtualHost container finally allowed them to take effect.
Still not sure why adjusting the _default_ container or having them in the VirtualHost container in httpd.conf didn't work.
As a definitive answer to the question, I used...
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
to pass my ScanAlert scan. I would bet that most of the other strings above would work as well.
Did you tell Apache to enforce cipher order?
SSLHonorCipherOrder on
FYI - I found that this setting:
SSLCipherSuite HIGH:!SSLv2:!ADH
Produced the exact same list of protocols as this setting:
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
According to:
openssl ciphers -v 'ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH'
openssl ciphers -v 'HIGH:!SSLv2:!ADH'
The following configuration is recommended by Qualys, it gave us a A on their scanner
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
Yes, also make sure Apache is able to read the new configuration. I place this directly inside the virtual host container.
From their website: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy
Look here Mozilla Wiki.
The goal of this document is to help operational teams with the configuration of TLS on servers.

Apache ProxyPass - Error during SSL Handshake with remote server

Im using proxy pass to redirect http to https backend server (tomcat)
Error im getting is : Error during SSL Handshake with remote server
My Configuration :
<VirtualHost *:80>
ServerName mypersonal.server.com
ProxyRequests Off
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass /publisher https://localhost:9443/publisher
ProxyPassReverse /publisher https://localhost:9443/publisher
</VirtualHost>
I'm trying to find a way to overcome the verification of SSL, but the following commands appears in grey in my config
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
Im using Server version: Apache/2.4.6 (CentOS)
Appreciate your assistance
Late to the party here, but somebody might find this useful.
Check your SSLProxyProtocol directive. If, for security purposes, you have disabled the protocol that your backend is using, then the handshake will fail.
For example, I was using SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 but had to relax it to SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 because my backend is still using TLS v1.1.
EDIT in 2023: I just saw this was upvoted recently. If you're still having problems, also check your values for SSLProxyCipherSuite (see apache docs and values recommended by Mozilla)