Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: Apache and FIPS-ready |
Page Previous 1, 2 |
Author |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1256 Location: Amsterdam, NL, EU
|
Posted: Tue 30 Sep '14 15:33 Post subject: |
|
|
I also saw that a few moments later and edited my previous post. You are quite right! I have a memory that previously SSLLabs also reported that a site would only work in browsers with SNI support, but cannot see that right now.
I changed the config back to what it was.
Last edited by Jan-E on Tue 07 Oct '14 19:04; edited 1 time in total |
|
Back to top |
|
ivanr
Joined: 27 Apr 2013 Posts: 6
|
Posted: Tue 30 Sep '14 15:44 Post subject: |
|
|
Jan-E wrote: | I also saw that e few moments later and edited my previous post. You are quite right! I have a memory that previously SSLLabs also reported that a site would only work in browsers with SNI support, but cannot see that right now.
I changed the config back to what it was. |
Now, I can connect using DES-CBC3-SHA from the command line (that's the cipher suite shown in SSL Labs for IE8/XP).
You are right, however, when you say that IE8 won't connect, but it seems that it's a different problem. I observed a connection attempt in Wireshark and it seems that the initial TLS handshake is successful. IE even sends some application data, but the server then aborts the connection with two TLS alerts. I don't know what are the alerts because the communication is encrypted.
Perhaps there will be something in the server's error log (if not at the default log level, perhaps on more verbose ones.) If not, it's possible to see what alerts were sent, but only if you configure Wireshark with the server's private RSA key. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1256 Location: Amsterdam, NL, EU
|
|
Back to top |
|
ivanr
Joined: 27 Apr 2013 Posts: 6
|
Posted: Tue 30 Sep '14 15:48 Post subject: |
|
|
It did report SNI the first time I saw the report. It's not reporting now because the certificate without SNI is the same as with SNI. In other words, this site is now your default site for the IP address. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1256 Location: Amsterdam, NL, EU
|
Posted: Tue 30 Sep '14 16:09 Post subject: |
|
|
ivanr wrote: | Now, I can connect using DES-CBC3-SHA from the command line (that's the cipher suite shown in SSL Labs for IE8/XP).
|
Code: | $ openssl s_client -connect fips.sessiondatabase.net:443 -cipher 3DES
| connects OK
ivanr wrote: | You are right, however, when you say that IE8 won't connect, but it seems that it's a different problem. I observed a connection attempt in Wireshark and it seems that the initial TLS handshake is successful. IE even sends some application data, but the server then aborts the connection with two TLS alerts. I don't know what are the alerts because the communication is encrypted.
Perhaps there will be something in the server's error log (if not at the default log level, perhaps on more verbose ones.) If not, it's possible to see what alerts were sent, but only if you configure Wireshark with the server's private RSA key. |
From the errorlog:
Code: | [Tue Sep 30 15:38:57.101785 2014] [ssl:error] [pid 2876:tid 968] SSL Library Error: error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Tue Sep 30 15:40:10.234071 2014] [ssl:error] [pid 2876:tid 972] [client 109.72.82.224:61742] AH02261: Re-negotiation handshake failed: Not accepted by client!?
|
|
|
Back to top |
|
ivanr
Joined: 27 Apr 2013 Posts: 6
|
Posted: Wed 01 Oct '14 15:58 Post subject: |
|
|
[quote="Jan-E"] ivanr wrote: |
From the errorlog:
Code: | [Tue Sep 30 15:38:57.101785 2014] [ssl:error] [pid 2876:tid 968] SSL Library Error: error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Tue Sep 30 15:40:10.234071 2014] [ssl:error] [pid 2876:tid 972] [client 109.72.82.224:61742] AH02261: Re-negotiation handshake failed: Not accepted by client!?
|
|
That explains it; your server wants to renegotiate, but it's (correctly) configured not to do it insecurely. The SSL Labs handshake simulator doesn't show it because it's happening after the initial handshake. |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1256 Location: Amsterdam, NL, EU
|
Posted: Mon 06 Oct '14 15:24 Post subject: |
|
|
glsmith wrote: | A challenge was building 32bit fips on an x64 OS. |
It isn't that hard:
Code: | set PROCESSOR_ARCHITECTURE=x86
ms\do_fips.bat
|
See my openssl-fips build for Apache 2.4.10:
http://www.apachelounge.com/viewtopic.php?t=6197 |
|
Back to top |
|
Jan-E
Joined: 09 Mar 2012 Posts: 1256 Location: Amsterdam, NL, EU
|
Posted: Wed 08 Oct '14 10:11 Post subject: |
|
|
Jan-E wrote: | ivanr wrote: | Now, I can connect using DES-CBC3-SHA from the command line (that's the cipher suite shown in SSL Labs for IE8/XP).
|
Code: | $ openssl s_client -connect fips.sessiondatabase.net:443 -cipher 3DES
| connects OK |
I tried to use abs.exe in stead:
Code: | C:\>abs -Z 3DES https://fips.sessiondatabase.net/
This is ApacheBench, Version 2.3 <$Revision: 1604373 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking fips.sessiondatabase.net (be patient)...SSL read failed (1) - closing connection
4716:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:.\ssl\s3_pkt.c:1275:SSL alert number 40
4716:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:.\ssl\s3_pkt.c:1008:
..done
Server Software:
Server Hostname: fips.sessiondatabase.net
Server Port: 443
SSL/TLS Protocol: TLSv1.2,EDH-RSA-DES-CBC3-SHA,4096,112
Document Path: /
Document Length: 0 bytes
Concurrency Level: 1
Time taken for tests: 0.540 seconds
Complete requests: 1
Failed requests: 0
Total transferred: 0 bytes
HTML transferred: 0 bytes
Requests per second: 1.85 [#/sec] (mean)
Time per request: 540.004 [ms] (mean)
Time per request: 540.004 [ms] (mean, across all concurrent requests)
Transfer rate: 0.00 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 525 525 0.0 525 525
Processing: 15 15 0.0 15 15
Waiting: 0 0 0.0 0 0
Total: 540 540 0.0 540 540
| and Code: |
C:\>abs -Z 3DES https://ie8xp.sessiondatabase.net/
This is ApacheBench, Version 2.3 <$Revision: 1604373 $>
Copyright 1996 Adam Twiss, Zeus Technology Ltd, http://www.zeustech.net/
Licensed to The Apache Software Foundation, http://www.apache.org/
Benchmarking ie8xp.sessiondatabase.net (be patient).....done
Server Software: Apache/2.4.10
Server Hostname: ie8xp.sessiondatabase.net
Server Port: 443
SSL/TLS Protocol: TLSv1.2,EDH-RSA-DES-CBC3-SHA,4096,112
Document Path: /
Document Length: 46 bytes
Concurrency Level: 1
Time taken for tests: 0.533 seconds
Complete requests: 1
Failed requests: 0
Total transferred: 385 bytes
HTML transferred: 46 bytes
Requests per second: 1.88 [#/sec] (mean)
Time per request: 532.504 [ms] (mean)
Time per request: 532.504 [ms] (mean, across all concurrent requests)
Transfer rate: 0.71 [Kbytes/sec] received
Connection Times (ms)
min mean[+/-sd] median max
Connect: 525 525 0.0 525 525
Processing: 8 8 0.0 8 8
Waiting: 8 8 0.0 8 8
Total: 533 533 0.0 533 533 |
Wouldn't that be a valuable addition to
Code: | $ openssl s_client -connect fips.sessiondatabase.net:443 -cipher 3DES | because abs.exe shows the connection error?
https://www.ssllabs.com/ssltest/analyze.html?d=fips.sessiondatabase.net now has an inconsistent difference between the Cipher Suites and the Handshake Simulation. Abs.exe is also quite fast.
Edit: On *nix ApacheBench is without the 's':
Code: | $ ab -Z 3DES https://fips.sessiondatabase.net/ |
|
|
Back to top |
|
|
|
|
|
|