I'm confronted problem with the https request. The problem is that I'm configuring nginx server to accept https request from applications on windows computers but failed to connect to server. The following are some information on wireshark:
Windows application request:
Response from server1:
Yet another server2 response:
The nginx version on server is 1.12.2 and openssl version is 1.0.1f . Nginx configurations is as below:
ssl_certificate /etc/nginx/cert/cert.pem;
ssl_certificate_key /etc/nginx/cert/cert.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
Information about server1 from https://www.ssllabs.com/ssltest/analyze.html:
Since I counld not find any client's cipher suites like "TLS_RSA_WITH_3DES_EDE_CBC_SHA" in server TLSv1.0 . I wonder if it's the difference between languages or softwares that makes the problem happen.
by the way, I have no more information other than request url about server2 and my goal is to deploy server1 to accept requests from windows clients.
Could any one give some advice to solve the problem or provide some clues? thanks very much!
I finally found out the reason for the problem. The problem occurred because nginx 1.12.2 does not support week ssl ciphers by default. And the client applicatioin which is built on different version of windows OS like XP provides limited cipher suites such as TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA. These cipher suites are weak in security. The same problem occurred in IE8 browser. IE8 sometime is not able to visit newer websites.
My solution is to recompile nginx with some extra parameters:
install dependency
sudo apt-get install build-essential libpcre3 libpcre3-dev zlib1g-dev unzip git
download nginx
wget -c https://nginx.org/download/nginx-1.12.2.tar.gz
tar zxf nginx-1.12.2.tar.gz
check openssl version
dpkg -s openssl
check openssl support for 3DES
openssl ciphers -v "3DES"
download openssl source code openssl >=1.1.0 don't support 3DES by default
wget -O openssl.zip -c https://github.com/openssl/openssl/archive/OpenSSL_1_0_1f.zip
unzip openssl.zip
mv openssl-OpenSSL_1_0_1f/ openssl
compile and install nginx
cd nginx-1.12.2
./configure --with-openssl=../openssl --with-http_ssl_module --with-openssl-opt='enable-weak-ssl-ciphers'
make
sudo make install
With some ssl configuration, the server is able to support https request with 3DES cipher suites.
Thanks!
Related
I'm hosting at Digital Ocean with Ubuntu 18.04, Nginx version 1.17.6, OpenSSL version 1.1.1 . - I believe those satisfy requirements for TLS 1.3.
In my /etc/nginx/nginx.conf file I added TLSv1.3 like so:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
I have not changed anything in /etc/nginx/sites-available/website.com .
When I test my site in SSL Labs and elsewhere, TLSv1.3 is not working. It's still using TLSv1.2.
I checked nginx -V, and --with-openSSL argument is not listed. Not sure if I have to rebuild my nginx with that flag.
Any pointers would be appreciated
UPDATE:
I rebuilt Nginx from source with OpenSSL 1.1.1. Still not working.
Found the solution after much digging. I had to update /etc/letsencrypt/options-ssl-nginx.conf and add ssl protocols TLSv1.3 there, as well as add to ssl_ciphers TLS 1.3 ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:
I'm tring to set up HTTP2 with apache2, and certbot-auto, the fact is I have another working server with HTTP2+ Apache2 + with letsencrypt cert, HTTP2 is working perfectly on this server. I have this on both server :
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
I tryed to regen both dhparams key with :
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Restart apache, same problem , server 1 is working, server 2 no.
On ssllabs.com I have with chrome, FF, ... :
Server negotiated HTTP/2 with blacklisted suite
If I test with :
openssl s_client -host 127.0.0.1 -port 443
On the working server I have :
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
On the not working server :
Server Temp Key: DH, 4096 bits
Cipher : DHE-RSA-AES128-GCM-SHA256
I know that it should be a ECDH key to work, but I don't know why it's not working as all server have exactly the same configuration !
I alway use : certbot-auto --apache -d mydomain.com to generate a cert, i work with HTTP2 on the first server, not on the second (error inadequate security, and fallback to http1.1)
Can you help me ? I want a working configuration with apache2 and SSL/HTTP2, I dont need very old browser compatibility. Or if you know a very good working tutorial to do that.
Apache 2.4.25 and open ssl 1.0.2k on both servers.
I just (re) emerged apache 2.4.25 with exactly the same compilations flags and it works now ! Maybe some cipher libs was compiled before newer openssl. I'm on gentoo.
I am trying to run a calendar server (Caldavd). I ran into trouble when I enabled SSL. I get the error:
"Unable to Connect Securely
Firefox cannot guarantee the safety of your data on localhost:8443 because it uses SSLv3, a broken security protocol."
I am running on Ubuntu 12.04, have created a self signed certificate, using openssl 1.0.2 (the latest, as far as I can tell), and have added the line
SSLProtocol All -SSLv2 -SSLv3
to my site configuration file.
I am a newbie to Apache, not a sysadmin. I understand why Firefox wants to disable SSLv3 but I don't know what else I need to do.
Verify that you have all the weak ciphers disabled. Since the server is internal use OpenSSL.
openssl s_client -connect localhost:8443 -cipher 'ALL:!RC4' -no_ssl2 -no_tls1_1 -no_tls1_2
If the connection is successful then you know the configurations worked.
How to disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html
I need to update apache 2.2.22 to support TLSv1.2. I have tried the below command but it is not working
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
But when I put this command it displays an error in windows event viewer
SSLProtocol: Illegal protocol 'TLSv1.2'
Support for TLSv1.1 and TLSv1.2 was added in httpd 2.2.23. You will need to upgrade httpd itself, and also have OpenSSL 1.0.1 available at build-time and at run-time.
TLS for Apache is provided by OpenSSL. If TLS 1.2 is supported in your installation depends on the installed OpenSSL version, see About TLS 1.2 support in openssl.
Judging from the changelog, you will need at least OpenSSL 1.0.1.
You can't do this. You need OpenSSL 1.0.1 at least, and the API of OpenSSL 1.0.1 is not compatible with Apache 2.2.22. You will need to upgrade Apache HTTPD.
I am running Django 1.7 with gunicorn. I am able to use https using gunicorn by passing certificate and key file as parameter.
When I validate my server by geotrust ssl tools, it says everything is fine except -
This server may be vulnerable: SSLv3 is enabled
Disable SSLv3 and use TLS 1.0 or higher.
I am new to this and not able to understand how to do this. Is this is related to machine or this is related to gunicorn?
gunicorn --ssl-version TLSv1_2 -b 0.0.0.0:8000 project:app
This should enable TLSV1.2 in 8000 port. you can also check if TLSV1 is still active by running below command. if connection established, then target uses tlsv1
openssl s_client -connect hostname:port -tls1
You can also check for tlsv1.2:
openssl s_client -connect hostname:port -tls1_2
Replying to an old thread here, in order to disable anything but TLSv1.2+ and weak ciphers, allowing to pass SSLLabs tests
Gunicorn option --ssl-version allows to set minimal SSL version to use.
Gunicorn --ciphers allows to enable / disable cipher sets or specific ciphers.
Both options accept OpenSSL standard directives.
Good cipher lists can be found on cipherli.st
As of April 2021, in order to have a secure SSL connection according to SSLLabs, I made the following
/usr/bin/gunicorn --ssl-version=TLSv1_2 --ciphers='DEFAULT:!aNULL:!eNULL:!MD5:!3DES:!DES:!RC4:!IDEA:!SEED:!aDSS:!SRP:!PSK' --certfile=/etc/pki/tls/certs/mycert.crt --keyfile=/etc/pki/tls/private/mykey.key
Warning: The singlequotes need to be removed if the commandline is to be put in a systemd unit file.