Disabling TLS1.0 in mod_proxy - apache

We are using apache http server 2.2.29 and jboss 6.4.
We are using Mod proxy for communication between web server and jboss application server.
We are planning to disable TLSv1.0 in mod proxy configuration. After disabling tlsv1.0, the mod_proxy's ssl configuration looks like below.
SSLProxyEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ALL:HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /app/certificates/star_rpmi.cer
SSLCertificateKeyFile /app/certificates/rpmi.key
SSLProxyMachineCertificateFile /app/jboss.keystore
SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1
However, once we disable the tlsv1.0, the communication between mod proxy and jboss application server fails.
In apache's debug logs, we have found that the ciphers suits being negotiated is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
This cipher suit have been added in jboss application server configuration file as well. However, the connection is still failing.
What could be the reason behind this?

Related

Unable to disable TLSv1/TLSv1.1 in Apache 2.4.18

A client has requested that I disable TLSv1 and TLSv1.1 on a web server. The server is running Apache 2.4.8. and OpenSSL 1.0.2g.
I have added the directive to /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol TLSv1.2
Restarting Apache2 and running test on SSL Labs (and two other tools) shows that TLSv1 and 1.1 are still enabled. I have tried a lot of variations of the SSLProtocol directive, based on Googling around:
SSLProtocol -all +TLSv1.2
SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
SSLProtocol +all -TLSv1.1 -TLSv1
None of them work. I have also tried adding the directive to /etc/apache2/apache2.conf. This also makes no difference.
I have no idea how to proceed. Any help appreciated!
Edit vhost/site.conf
for me its works
<IfModule mod_ssl.c>
<VirtualHost *:443>
######################################################
# support old Android phones
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
# Force using custom cipher list
SSLHonorCipherOrder on
Define sslCiphers -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW
Define sslCiphers ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLCipherSuite ${sslCiphers}

Apache 2.4 SSL Config

I've got a question regarding ssl config for apache 2.4. I got the following ssl settings for my vhost. There are more than 1 Directory but the config is mostly the same, only IPs are different. If I active the the three commented lines the apache should check the requests against the cert and not just pass the request through, correct? I assume the apache breakts the encryption for all requests from the internet and re-encrypts again to pass the request on. Am I right? Is there a way to not break the encryption and just delegate the cert checks to the next system?
RequestHeader set ClientProtocol HTTPS
SSLEngine On
SSLProtocol ALL -SSLv2 -SSLv3
SSLProxyEngine On
SSLProxyProtocol ALL -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!MD5:!aNULL:!EDH
SSLCertificateFile /path/to/file.crt
SSLCertificateKeyFile /path/to/file.key
<Directory /folder-name>
#SSLVerifyClient optional_no_ca
#SSLVerifyDepth 1
#SSLOptions +OptRenegotiate +ExportCertData
ProxyPass https://10.20.30.40:8443/
ProxyPassReverse https://10.20.30.40:8443/
</Directory>
Thanks for your help guys and regards. Sebastian
Yes, this Apache acting as a proxy terminates SSL. It then makes or reuses a pooled SSL connection to the backend.
There's no way to truly let the backend think it's handshaking with the client unless it accessed apache as a forward proxy using the mod_proxy_connect module.
Some application servers accept the body of the client certificate in a proprietary header, making that identity available in the backend server. But they are not actually authenticating it in the handshake like the proxy/apache has done.

Poodle vulnerability need to change SSL 3.0 to TLS

I have implemented SSL(https) in my website, but when I checked the certificate it is showing poodle vulnerability. So it suggests me that I needed to change SSL 3.0 to TLS. I am using Apache2.4. Please guide me how can I change SSL 3.0 to TLS.
Put the following in the VirtualHostconfiguration section for your site:
SSLProtocol all -SSLv2 -SSLv3
It will disable SSLv2 & SSLv3, while keeping the others (TLS 1.0+) enabled.
Apache
To disable SSLv3 on your Apache server you can configure it using the following, both in the SSL configuration section and in all SSL-enabled virtual hosts explicitly:
SSLProtocol All -SSLv2 -SSLv3

How to change Apache 2.4 configuration from SSL support to TLS

I have Apache 2.4 installed on Windows Server 2008 R2 (not using IIS) I currently have SSL enabled with a 2048 cert.
How can I change Apache to switch from using SSL to using TLS?
Thank you
You can change SSLProtocol directive in your httpd-ssl.conf file as below
SSLProtocol all -SSLv3
More details can be found here
UPDATE
SSLEngine on
SSLProtocol all -SSLv3

Apache ProxyPass - Error during SSL Handshake with remote server

Im using proxy pass to redirect http to https backend server (tomcat)
Error im getting is : Error during SSL Handshake with remote server
My Configuration :
<VirtualHost *:80>
ServerName mypersonal.server.com
ProxyRequests Off
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass /publisher https://localhost:9443/publisher
ProxyPassReverse /publisher https://localhost:9443/publisher
</VirtualHost>
I'm trying to find a way to overcome the verification of SSL, but the following commands appears in grey in my config
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
Im using Server version: Apache/2.4.6 (CentOS)
Appreciate your assistance
Late to the party here, but somebody might find this useful.
Check your SSLProxyProtocol directive. If, for security purposes, you have disabled the protocol that your backend is using, then the handshake will fail.
For example, I was using SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 but had to relax it to SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 because my backend is still using TLS v1.1.
EDIT in 2023: I just saw this was upvoted recently. If you're still having problems, also check your values for SSLProxyCipherSuite (see apache docs and values recommended by Mozilla)