httpd failed due to SSLProtocol: Illegal protocol 'TLSv1.1' on centos

2
votes

I am trying to update TLS1 to TLS1.1 or higher but after doing below changes, Getting error "SSLProtocol: Illegal protocol 'TLSv1.1'"

My Apache and openssl version are :-

httpd -v

Server version: Apache/2.4.2 (Unix) Server built: Jul 16 2012 21:11:37

openssl version -a

OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Sep 27 12:27:19 UTC 2016

Centos-version (6.7)

rpm --query centos-release

centos-release-6-7.el6.centos.12.3.x86_64

Did changes for ssl :-

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLProtocol -all +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

SSLHonorCipherOrder on

I am not sure what is missing here, can anybody help me here?

1
apacheconfigurationcentoshttpd.conf
Also see Disabled RC4 and Qualys still says I have it enabled on Super User.jww
Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops?jww
Set SSLProtocol -all -SSLv2 But there are also ciphers there currently not supported by the openssl version you are reporting, like the CHACHA and POLY ciphers. You should get errors from there too.ezra-s
I correct my previous comment, I meant SSLProtocol all -SSLv2 (although you should also ban SSLv3)ezra-s

1 Answers

0
votes

Apache has to be compiled with OpenSSL when its installed.

Your Apache was apparently compiled back in 16th Jul 2012 when Apache 1.0.1 wasn't even released yet. So guessing it was compiled with the previous version (0.9.8) which doesn't support TLSv1.1.

At some point in the future someone has upgraded OpenSSL to a later version but not recompiled Apache.

As Apache 2.4 wasn't available as a packaged version way back in 2012 someone must have installed it manually and it's stayed on that old version ever since. I suggest you look in yum for a supported 2.4 version which may be available now or install it from source.