do you change SSLCipherSuite?, show us which one you have 2017-02-10 9:29 GMT+01:00 Sven Crul <sven.c...@belmedis.be>:
> Hi, > > > First off all Thanks , like already said I tried about everything :-( > nevertheless i tried all of them again ... without success. > > I cannot get the server to offer SSLV3 when TLS is enabled (Any TLS ) > when I do ssl protocol SSLv3 then sslv3 works but from the moment I add TLS > , SSLv3 no longer works > > > Sven > > > > > [image: Show details for Mitchell Krog Photography ---10/02/2017 > 08:26:09---Your SSL config for Apache 2.4.10 should be as follows > <VirtualHost *:443>]Mitchell Krog Photography ---10/02/2017 > 08:26:09---Your SSL config for Apache 2.4.10 should be as follows > <VirtualHost *:443> > [image: Hide details for Mitchell Krog Photography ---10/02/2017 > 08:26:09---Your SSL config for Apache 2.4.10 should be as follows > <VirtualHost *:443>]Mitchell Krog Photography ---10/02/2017 > 08:26:09---Your SSL config for Apache 2.4.10 should be as follows > <VirtualHost *:443> > > From: Mitchell Krog Photography <mitchellk...@gmail.com> > To: Christopher Schultz <ch...@christopherschultz.net>, > users@httpd.apache.org > Date: 10/02/2017 08:26 > Subject: Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is > enabled > ------------------------------ > > > > Your SSL config for Apache 2.4.10 should be as follows > > <VirtualHost *:443> > ... > SSLEngine on > SSLCertificateFile /path/to/signed_certificate_ > followed_by_intermediate_certs > SSLCertificateKeyFile /path/to/private/key > > # Uncomment the following directive when using client certificate > authentication > #SSLCACertificateFile /path/to/ca_certs_for_client_authentication > > > # HSTS (mod_headers is required) (15768000 seconds = 6 months) > Header always set Strict-Transport-Security "max-age=15768000" > ... > </VirtualHost> > > # intermediate configuration, tweak to your needs > SSLProtocol all -SSLv3 > SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- > POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128- > GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256- > GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM- > SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128- > SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE- > RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA- > AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE- > RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA: > ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- > RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384: > AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > SSLHonorCipherOrder on > SSLCompression off > > > # OCSP Stapling, only in httpd 2.3.3 and later > SSLUseStapling on > SSLStaplingResponderTimeout 5 > SSLStaplingReturnResponderErrors off > SSLStaplingCache shmcb:/var/run/ocsp(128000) > > > Always check with > > *https://mozilla.github.io/server-side-tls/ssl-config-generator/* > <https://mozilla.github.io/server-side-tls/ssl-config-generator/> > > > > From: Christopher Schultz *<ch...@christopherschultz.net>* > <ch...@christopherschultz.net> > Reply: *users@httpd.apache.org* <users@httpd.apache.org> > *<users@httpd.apache.org>* <users@httpd.apache.org> > Date: 10 February 2017 at 12:15:30 AM > To: *users@httpd.apache.org* <users@httpd.apache.org> > *<users@httpd.apache.org>* <users@httpd.apache.org> > Subject: Re: [users@httpd] apache 2.4.10 sslv3 not offering when tls is > enabled > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Daniel, > > On 2/9/17 4:53 PM, Daniel wrote: > > Try manually: > > > > SSLProtocol SSLv3 TLSv1 TLSv1.1 TLSv1.2 > > And, please, for the love of god, add these, too: > > SSLHonorServerOrder On > SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:SSLv3 > > This will cause "better" ciphers to be preferred over the lesser ones. > Don't forget to eliminate the insecure ones like EXPORT, MD5, DES, > RC4, etc. > > A typical cipher string I might use looks like this: > > SSLCipherSuite > !aNULL:!eNULL:!EXPORT:!DSS:!DES:!SSLv2:!RC4:ECDHE:ECDH:DHE:AES256-GCM-SH > > A384:AES128-GCM-SHA256:HIGH > > - -chris > > > 2017-02-09 17:30 GMT+01:00 Sven Crul <*sven.c...@belmedis.be* > <sven.c...@belmedis.be> > > <mailto:*sven.c...@belmedis.be* <sven.c...@belmedis.be>>>: > > > > Hi, > > > > > > I switch to debian with apache 2.4.10 where I need sslv3 for > > backwards compatibility with some OLD clients > > > > I use openssl 1.0.1t (latest stable for debian) > > > > > > with the settings "sslprotocol all" in ssl.conf sslv3 is not > > offered > > > > with the setting "sslprotocol sslv3" in ssl.conf it works but > > unfortunately without tls (I need TLS also) > > > > > > I must be the only one who has this problem because can't find > > anything about it anywhere, and I tried about anything there is > > > > > > sslprotocol all +sslv3 ... etc nothing works > > > > > > Anybody has an idea > > > > > > THX!!!!! > > > > Sven > > > > > > > > > > > > > > -- *Daniel Ferradal* IT Specialist > > > > email dferradal at *gmail.com* <http://gmail.com/> < > *http://gmail.com* <http://gmail.com/>> linkedin > > *es.linkedin.com/in/danielferradal* > <http://es.linkedin.com/in/danielferradal> > > <*http://es.linkedin.com/in/danielferradal* > <http://es.linkedin.com/in/danielferradal>> > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - *http://gpgtools.org* <http://gpgtools.org/> > Comment: Using GnuPG with Thunderbird - *http://www.enigmail.net/* > <http://www.enigmail.net/> > > iQIcBAEBCAAGBQJYnOoCAAoJEBzwKT+lPKRYgnkP/jHquyBGVH2uYKcF6Pzyn7Uw > LduZ+8eVqnSC5OsI7s6HBZrqxJthIb2c5Ns+w/rR8ga4o86bzWd+Shr+lwI41UXJ > gEjJDUyQYN5/1YMwlc+w/MFyqgWIaJTdJEhC1kgBMzQzNt53og13tMT7z93rvMsE > NZC1Gb0ANYx68d4/QC/J1Qoh3H0PkqLniHuV6GOuM7zeu9i5IcLQDW4WX7yXcG63 > 2VsTKwcPdQ1uH3t3i5c3+bbtvWsfMn0bj5Z8SaYInpLWX1swIBLh9b2+dzD5+A2Q > wLgSdIqgZhbkSyqFvq8oqXiaKQ6oxXVXfEJ6bivTkQNbyflR64eqqWXSRsc/RxfK > GJnalLogEM3iP2L7BUAE7Ok3r8xP4Drxy8JaVSLYNm+0BboSP80MZ0YPiIKcniZF > lkyQwyqOWX+OO1Eo0Z6SOTRoRMbymIPvgV+34aVp4admwNtfUN/2F+dPn+7xExHW > Y5oA7j9qBEYXJg63AHY3R//tGm/rtnDlHPt8bxCw5tWrR6HFgoqabyR5MhSYpfED > g8ReWrkd+Ygr10++hw2wwHf9Qwq9jHa2WYhGQyT5HiTIm+ui1X5gD19p9rpyCfcn > ARZ+NgoBHjFGNg0gLu1m3mwDDElnr9/kQE+KRdoVnICm18i3vO4CXzZLUC3moPRR > 43zsMR858V8ZOZThX0s7 > =/YOD > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: *users-unsubscr...@httpd.apache.org* > <users-unsubscr...@httpd.apache.org> > For additional commands, e-mail: *users-h...@httpd.apache.org* > <users-h...@httpd.apache.org> > > > > > -- *Daniel Ferradal* IT Specialist email dferradal at gmail.com linkedin es.linkedin.com/in/danielferradal
