Selective ERR_SSL_VERSION_OR_CIPHER_MISMATCH error with multiple Apache-hosted sites

1
votes

I have several hostnames running on Apache for which I'd like to have specific strong TLS configuration. There are 2 .conf files enabled in Apache: the first one contains all the VirtualHosts for port 80 (say default.conf) and the other one stores respective VirtualHosts for port 443 (default443.conf).

It is possible to access only the hostname from the very first VirtualHost of default.conf via https://. All remaining hosts are throwing ERR_SSL_VERSION_OR_CIPHER_MISMATCH in any web browser. When accessing such a failing hostname via curl, the below error appears:

curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

default.conf:

Protocols h2 h2c http/1.1

<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example
RewriteEngine on
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
#RewriteRule ^(.*)$ https://example.com$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost *:80>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteRule ^(.*)$ https://example2.com$1 [R=301,L]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

default443.conf:

Protocols h2 h2c http/1.1

<VirtualHost *:443>
ServerName example.com
DocumentRoot /var/www/html/example
RewriteEngine on
SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves secp384r1
SSLEngine On
SSLCertificateFile /path/to/example.crt
SSLCertificateKeyFile /path/to/example.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

<VirtualHost *:443>
ServerName example2.com
ServerAlias www.example2.com
DocumentRoot /var/www/html/example2
RewriteEngine on
RewriteCond %{SERVER_PORT} 443
RewriteCond %{HTTP_HOST} www\.example2\.com$
RewriteRule ^(.*)$ https://example2.com$1 [R=301,L]
SSLEngine On
SSLCertificateFile /path/to/example2.crt
SSLCertificateKeyFile /path/to/example2.key
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

SSLProtocol             -all +TLSv1.2
SSLCipherSuite          -all:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305
SSLHonorCipherOrder     on
SSLCompression          off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

According to the above configuration, example.com is properly resolving via https:// using the cipher suites declared while SSL handshake is failing for example2.com.

In case of commenting our the SSLCipherSuite directive or replacing the cipher suites with the ones suggested by Mozilla for TLS 1.2, example2.com starts working properly via https:// as well.

apachectl -v Server version: Apache/2.4.41

openssl version OpenSSL 1.1.1c 28 May 2019

I would like to clear out the reason why only one hostname is functioning properly via https:// while the remaining ones keep getting failed SSL handshakes with ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305 ciphers declared.

1
apachesslopenssltls1.2

1 Answers

1
votes

The resolution appeared to be pretty obvious after some research.

There was ECDSA SSL/TLS certificate installed for the hostname working properly (example.com from the listings) while all the other hosts had certificates with RSA private keys installed for them.

As the declared cipher suites were ECDSA-authentication only (1) (2) the handshake was failing for hosts with RSA private keys.

Reissuing the remaining certs with EC keys solved the issue.