I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1
+TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws
below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Now iam worried whether to install these dependencies or not. Will
they affect my running httpd instances ? Is there any other way to
remediate this vulnerability ?
Hi Team,
We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013
I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0
I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7 Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7
Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?
SSLProtocol all -SSLv2 -TLSv1 -- it works fine
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
SSLProtocol -All +TLSv1.1 -- It did n't work
I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.
On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
aneesh.tm@gmail.com <aneesh.tm@gmail.com>, in <11989b07-2758-478d-9586-75d22fa61925@googlegroups.com> wrote:
SSLProtocol all -SSLv2 -TLSv1 -- it works fine
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
SSLProtocol -All +TLSv1.1 -- It did n't work
Well, upon further review, all is correct. https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all
all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
If compiled with a "no-ssl3" option, then all does not include +SSLv3
I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.
What is your version of OpenSSL? might be package name libssl. That is probably the sticking point. What happens if you change SSLProtocol to
SSLProtocol +TLSv1.1 +TLSv1.2
??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
I tried above combination given by you.. but it still gives same
error.. Illegal protocol
My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
Not sure if this is related to openssl version.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 292 |
Nodes: | 16 (2 / 14) |
Uptime: | 208:03:02 |
Calls: | 6,618 |
Files: | 12,168 |
Messages: | 5,317,014 |