We Keep Coding

SSLv3 not supported by this version of OpenSSL

I am running a Qualys PCI compliant tool and I see many fixes in the report, one of them tells me to update the file default-ssl.conf and set the line SSLProtocol -ALL +SSLv3 +TLSv1 as follows. The problem is that Apache does not start, the journalctl -xe command sends me this message : SSLv3 not supported by this version of OpenSSL.
The Apache version is : Apache/2.4.29 (Ubuntu).
The openssl version : OpenSSL 1.1.0g 2 Nov 2017
The Apache version is one of the latest so does the Openssl, any idea how to solve this issue?
Thanks,
jm

HTTP2, apache2, with certbot

I'm tring to set up HTTP2 with apache2, and certbot-auto, the fact is I have another working server with HTTP2+ Apache2 + with letsencrypt cert, HTTP2 is working perfectly on this server. I have this on both server :
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
I tryed to regen both dhparams key with :
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Restart apache, same problem , server 1 is working, server 2 no.
On ssllabs.com I have with chrome, FF, ... :
Server negotiated HTTP/2 with blacklisted suite
If I test with :
openssl s_client -host 127.0.0.1 -port 443
On the working server I have :
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
On the not working server :
Server Temp Key: DH, 4096 bits
Cipher : DHE-RSA-AES128-GCM-SHA256
I know that it should be a ECDH key to work, but I don't know why it's not working as all server have exactly the same configuration !
I alway use : certbot-auto --apache -d mydomain.com to generate a cert, i work with HTTP2 on the first server, not on the second (error inadequate security, and fallback to http1.1)
Can you help me ? I want a working configuration with apache2 and SSL/HTTP2, I dont need very old browser compatibility. Or if you know a very good working tutorial to do that.
Apache 2.4.25 and open ssl 1.0.2k on both servers.

I just (re) emerged apache 2.4.25 with exactly the same compilations flags and it works now ! Maybe some cipher libs was compiled before newer openssl. I'm on gentoo.

Cannot configure Apache2 to disable SSLv3

I am trying to run a calendar server (Caldavd). I ran into trouble when I enabled SSL. I get the error:
"Unable to Connect Securely
Firefox cannot guarantee the safety of your data on localhost:8443 because it uses SSLv3, a broken security protocol."
I am running on Ubuntu 12.04, have created a self signed certificate, using openssl 1.0.2 (the latest, as far as I can tell), and have added the line
SSLProtocol All -SSLv2 -SSLv3
to my site configuration file.
I am a newbie to Apache, not a sysadmin. I understand why Firefox wants to disable SSLv3 but I don't know what else I need to do.

Verify that you have all the weak ciphers disabled. Since the server is internal use OpenSSL.
openssl s_client -connect localhost:8443 -cipher 'ALL:!RC4' -no_ssl2 -no_tls1_1 -no_tls1_2
If the connection is successful then you know the configurations worked.
How to disable weak ciphers in Apache: https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html

Enable TLSv1.2 in apache 2.2.22

I need to update apache 2.2.22 to support TLSv1.2. I have tried the below command but it is not working
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
But when I put this command it displays an error in windows event viewer
SSLProtocol: Illegal protocol 'TLSv1.2'

Support for TLSv1.1 and TLSv1.2 was added in httpd 2.2.23. You will need to upgrade httpd itself, and also have OpenSSL 1.0.1 available at build-time and at run-time.

TLS for Apache is provided by OpenSSL. If TLS 1.2 is supported in your installation depends on the installed OpenSSL version, see About TLS 1.2 support in openssl.
Judging from the changelog, you will need at least OpenSSL 1.0.1.

You can't do this. You need OpenSSL 1.0.1 at least, and the API of OpenSSL 1.0.1 is not compatible with Apache 2.2.22. You will need to upgrade Apache HTTPD.

openssl -connect returns wrong certificate

Here is my problem.
I have multiple domains hosted on one apache webserver. (Virtual Hosts)
Two of them (a.com and b.com) use ssl certificates.
I configured both with these commands:
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/ABC.crt
SSLCertificateKeyFile /etc/apache2/ssl/ABC.key
SSLCertificateChainFile /etc/apache2/ssl/ABC.chain.crt
SSLProtocol all -SSLv2
When i try to connect via browser (chrome, Firefox, IE) it works fine and i get the right certificate.
But on android i got an exception: No peer certificate
Then i tried to test it with this command:
openssl s_client -connect b.com:443
It returns me the certificate of the a.com.
Any suggestions what I've done wrong that i get the wrong certificate with openssl and android?

There are probably multiple hosts on the same IP address and you need to use Server Name Indication (SNI) to access this site. To you SNI with openssl s_client use the -servername option, e.g. openssl s_client -connect b.com:443 -servername a.com. As for android: according to https://developer.android.com/training/articles/security-ssl.html SNI is supported since 2.3 for HttpsURLConnection but not for Apache HTTP Client.