logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Apache 2.2.31 - disable SSLv3 in SSLProxyProtocol?
Author
almalino



Joined: 30 Dec 2016
Posts: 1
Location: Salo

PostPosted: Fri 30 Dec '16 13:10    Post subject: Apache 2.2.31 - disable SSLv3 in SSLProxyProtocol? Reply with quote

Hi Apache experts Smile I use Apache/2.2.31

I have following global SSL configuration outside of several virtual hosts sections:

Code:
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA25$
SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3


and then I have one of the virtual host with following proxy RewriteRule [P]:

Code:
RewriteEngine On
SSLProxyEngine On
RewriteCond %{QUERY_STRING} !(^|&)requestOrigin=apiGateway($|&) [NC]
RewriteRule ^/portal/mobile/stores$ https://xxx.execute-api.eu-west-1.amazonaws.com/test/stores [QSA,P,L]

As you can see I have rewrite rule that proxy original request to Amazon API gateway. Amazon API gateway does not support SSLv3 that is why I disabled it in above configurations. I want TLSv1.2 to be used for proxying.

However, Apache continue using SSLv3 while proxying rewrite rule above. But I disabled SSLv3 as proxy protocol. See debug output below. Any ideas what I am doing wrong? Can it be Apache has some bug that does not allow me to disable proxy protocols?

Code:
[debug] ssl_engine_io.c(1090): [client XXX.XXX.XXX.XXX] SNI extension for SSL Proxy request set to 'example.com'
[debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/connect initialization
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write client hello A
[debug] ssl_engine_io.c(1939): OpenSSL: read 5/5 bytes from BIO#10c87d0 [mem: 10cttb3] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 16 02 02 00 02                                   .....            |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1939): OpenSSL: read 2/2 bytes from BIO#10c87d0 [mem: 10c44b8] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 02 38                                            .(               |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_kernel.c(1847): OpenSSL: Read: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1866): OpenSSL: Exit: failed in SSLv3 read server hello A
[info] [client XXX.XXX.XXX.XXX] SSL Proxy connect failed
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7288
Location: Germany, Next to Hamburg

PostPosted: Thu 26 Jan '17 16:01    Post subject: Reply with quote

Are you sure the AWS can do TLS1.2? You may check https://www.ssllabs.com/ssltest/

Which OpenSSL version does your 2.2.31 server use?
Back to top
jclin829



Joined: 10 Feb 2017
Posts: 1

PostPosted: Fri 10 Feb '17 0:30    Post subject: Apache - disable SSLv3 in SSLProxyProtocol? Reply with quote

Have any one found solution for disabling SSLv3 in SSLProxy in Apache when performing reverse proxy to Amazon API Gateway?
Back to top


Reply to topic   Topic: Apache 2.2.31 - disable SSLv3 in SSLProxyProtocol? View previous topic :: View next topic
Post new topic   Forum Index -> Apache