supported ciphers and protocols depend on the openssl version you are using, which, if my eyes do not deceive me, you haven't mentioned.
Perhaps you should check that first before changing cipher/protocol parameters in httpd. "openssl ciphers -v 'ALL'" should do, if the openssl version in your path is the same your httpd is using and was compiled with. El vie, 27 nov 2020 a las 16:35, Lentes, Bernd (<[email protected]>) escribió: > > Dear all, > > in 20 years administrating linux hosts i always avoided it successfully to > change the SSlCipherSuite, hoping the default from Suse or Ubuntu would be > fine and secure. > But now i'm in the situation that i have to touch it for the first time, and > afraid of opening a big door because of wrong configuration. > I have an elder software (ServersAlive) which monitors our services. > Among others it need to check two Ubuntu 20.04 hosts, one with Apache 2.4.41. > The software does not check the https URL and complains in the log "SSL > handshake failed". > The webserver log says: > [Fri Nov 27 16:00:05.526738 2020] [ssl:info] [pid 1330] [client > 146.107.25.174:61102] AH02008: SSL library error 1 in handshake (server > nc-mcd.helmholtz-muenchen.de:443) > [Fri Nov 27 16:00:05.526784 2020] [ssl:info] [pid 1330] SSL Library Error: > error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported > protocol > > I think this is related to the SSL configuration of Apache and the fact that > the software is a bit outdated. > I read http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite. > > SSLCipherSiute is currently: > > SSLCipherSuite HIGH:!aNULL > That means that all ciphers using Triple-DES are allowed, without all ciphers > using no authentication. Right? > > SSLHonorCipherOrder off > OK ? > > SSLProtocol all -SSLv3 > That means all protocols are allowed but not SSLv3. Right ? > > I canged it to SSLProtocol all +SSLv3 +TLSv1, but then apache refused to > restart, complaining SSLv3 is not supported by OpenSSL. > I changed it to SSLProtocol all +TLSv1, but my software still says the host > is down, resulting in the apache log: > [Fri Nov 27 16:28:15.143448 2020] [ssl:info] [pid 2703] [client > 146.107.25.174:61953] AH02008: SSL library error 1 in handshake (server > nc-mcd.helmholtz-muenchen.de:443) > [Fri Nov 27 16:28:15.143500 2020] [ssl:info] [pid 2703] SSL Library Error: > error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported > protocol > [Fri Nov 27 16:28:15.143524 2020] [ssl:info] [pid 2703] [client > 146.107.25.174:61953] AH01998: Connection closed to child 3 with abortive > shutdown (server nc-mcd.helmholtz-muenchen.de:443) > > What can i do ? > > Bernd > > > > > > > > -- > > Bernd Lentes > Head of Systemadministration > Institute for Metabolism and Cell Death (MCD) > Building 25 - office 122 > HelmholtzZentrum München > [email protected] > phone: +49 89 3187 1241 > phone: +49 89 3187 3827 > fax: +49 89 3187 2294 > http://www.helmholtz-muenchen.de/mcd > Helmholtz Zentrum München > > Helmholtz Zentrum Muenchen > Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) > Ingolstaedter Landstr. 1 > 85764 Neuherberg > www.helmholtz-muenchen.de > Aufsichtsratsvorsitzende: MinDir.in Prof. Dr. Veronika von Messling > Geschaeftsfuehrung: Prof. Dr. med. Dr. h.c. Matthias Tschoep, Kerstin Guenther > Registergericht: Amtsgericht Muenchen HRB 6466 > USt-IdNr: DE 129521671 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > -- Daniel Ferradal HTTPD Project #httpd help at Freenode --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
