Hi Team,


We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013

I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0

I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'

Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.

Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7 Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7



Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 13 Oct 2017 03:17:22 -0700 (PDT),
aneesh.tm@gmail.com <aneesh.tm@gmail.com>, in <f2c0340f-9239-4aa8-8470-3fb71ca32fa7@googlegroups.com> wrote:

I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1
+TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws
below error "SSLProtocol: Illegal protocol '"TLSv1.1"'

Shouldn't that be "-all" instead of "all"? If my memory serves, that
means you will accept *all* protocols, then the rest of the stanza
doesn't matter since the rules apply left to right.

Now iam worried whether to install these dependencies or not. Will
they affect my running httpd instances ? Is there any other way to
remediate this vulnerability ?

That will require a restart of your http/s service. Given that this is
a stateless transaction, this shouldn't be a huge issue. Otherwise,
you're running a potentially vulnerable service listening to the
internet.

If you're worried about compatibility with your current configuration,
you may want to run the update against a spare server, or a virtual
machine with the same software and configuration.

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, October 13, 2017 at 3:47:22 PM UTC+5:30, anee...@gmail.com wrote:

Hi Team,

We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013

I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0

I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'

Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.

Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7 Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7

Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?

Hello Darth Aggie,

I tried different combinations like below.

SSLProtocol all -SSLv2 -TLSv1 -- it works fine

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work

SSLProtocol -All +TLSv1.1 -- It did n't work


I also tried installing mod_ssl package from redhat using rpm -ivh mod_ssl* --nodeps. Still iam getting same error.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
aneesh.tm@gmail.com <aneesh.tm@gmail.com>, in <11989b07-2758-478d-9586-75d22fa61925@googlegroups.com> wrote:

SSLProtocol all -SSLv2 -TLSv1 -- it works fine

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work

SSLProtocol -All +TLSv1.1 -- It did n't work

Well, upon further review, all is correct. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all

all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

If compiled with a "no-ssl3" option, then all does not include +SSLv3

I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.

What is your version of OpenSSL? might be package name libssl. That is
probably the sticking point. What happens if you change SSLProtocol to

SSLProtocol +TLSv1.1 +TLSv1.2

??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sunday, October 15, 2017 at 3:17:38 AM UTC+5:30, I R A Darth Aggie wrote:

On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
aneesh.tm@gmail.com <aneesh.tm@gmail.com>, in <11989b07-2758-478d-9586-75d22fa61925@googlegroups.com> wrote:

SSLProtocol all -SSLv2 -TLSv1 -- it works fine

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work

SSLProtocol -All +TLSv1.1 -- It did n't work

Well, upon further review, all is correct. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all

all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

If compiled with a "no-ssl3" option, then all does not include +SSLv3

I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.

What is your version of OpenSSL? might be package name libssl. That is probably the sticking point. What happens if you change SSLProtocol to

SSLProtocol +TLSv1.1 +TLSv1.2

??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

Hello

I tried above combination given by you.. but it still gives same error.. Illegal protocol

My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

Not sure if this is related to openssl version.


Regards,

Aneesh

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sun, 15 Oct 2017 07:30:57 -0700 (PDT),
aneesh.tm@gmail.com <aneesh.tm@gmail.com>, in <2fc12964-9fc0-46e0-aa20-6b295b323b4e@googlegroups.com> wrote:

I tried above combination given by you.. but it still gives same
error.. Illegal protocol

My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

Not sure if this is related to openssl version.

At this point, I got nothing. Sorry.

--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)