Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Possible to disable SSLv3 in older Apache version? |
|
| Author |
|
JNR75
Joined: 07 Jun 2018
Posts: 3
|
 Posted: Thu 07 Jun '18 17:11 Post subject: Possible to disable SSLv3 in older Apache version? |
 |
|
Hello everyone, first post.
I have some older HP-UX 11.11 servers running OpenSSL 09.07 and 09.08 and Apache 2.0.58 and 2.0.64. I'm trying to disable SSLv3 and turn on TLS1.1 and / or TLS1.2 for better security.
I'm fairly new to this aspect of Apache, but looking around I keep seeing this-
Add this line to /opt/hpws/apache/conf/ ssl.conf file
SSLProtocol -all +TLSv1.2 +TLSv1.1
But I can't seem to find an SSLProtocol line in the ssl.conf file.
This is the most likely spot-
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
Can I add the SSLProtocol -all +TLSv1.2 +TLSv1.1 line near the SSLCipherSuite line? Then restart Apache and see if it works?
Thanks. |
|
| Back to top |
|
mraddi
Joined: 27 Jun 2016
Posts: 149
Location: Schömberg, Baden-Württemberg, Germany
|
| Posted: Thu 07 Jun '18 21:27 Post subject: |
|
|
Hello,
by looking at the documentation for Apache 2.0 and SSL (http://httpd.apache.org/docs/2.0/ssl/ssl_intro.html#ssl) I would say that encryption only up to TLS1.0 is supported, whereas the same documentation for Apache 2.4 mentiones TLS up to TLS1.2 (http://httpd.apache.org/docs/2.4/ssl/ssl_intro.html#ssl).
| Quote: | | Can I add the SSLProtocol -all +TLSv1.2 +TLSv1.1 line near the SSLCipherSuite line? Then restart Apache and see if it works? |
That is a good idea to see if just the documentation for Apache2.0 simply does not mention TLS1.1 + TLS1.2 or if this TLS-versions are really not supported by Apache2.0.
Within Apache-config the rule is: if a config-line is not mentioned within your config then the default-value is used (see documentation for the default-value  ). You can add the line and check if it is working as expected, otherwise remove/modify it.
 Tipp: For checking correct syntax of your config-file you can use "httpd -t" (verified on Windows with Apache2.4).
Best regards
Matthias |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 07 Jun '18 23:09 Post subject: |
|
|
Apache can only support what the openssl library supports.
OpenSSL 0.9.8 SSLv2 SSLv3 TLSv1
OpenSSL 0.9.7 SSLv2 SSLv3 TLSv1
so
SSLProtocol -all +TLSv1 |
|
| Back to top |
|
JNR75
Joined: 07 Jun 2018
Posts: 3
|
| Posted: Fri 08 Jun '18 14:56 Post subject: |
|
|
@mraddi
Very good info, thanks. Especially the bold part. I've been wondering how that works (adding a totally new line vs modifying an existing line). |
|
| Back to top |
|
JNR75
Joined: 07 Jun 2018
Posts: 3
|
| Posted: Fri 08 Jun '18 14:57 Post subject: |
|
|
@glsmith
Perfect, I will give it a try. Thanks to both of you. |
|
| Back to top |
|
|
|
|
|
|
