logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



httpd 2.4.37 SSLCipherSuite order not honored

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
karhukuoma



Joined: 31 Jan 2015
Posts: 10
Location: Finland

PostPosted: Mon 22 Oct '18 20:28    Post subject: httpd 2.4.37 SSLCipherSuite order not honored Reply with quote

Using httpd-2.4.37-win32-VC15.zip with these settings:
Code:

SSLProtocol -ALL +TLSv1.3 +TLSv1.2
SSLHonorCipherOrder on
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-CBC-SHA:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!DHE


And TLS1.3 ciphers are not in order according to ssllabs test. Also CCM ciphers are missing. They seem to be in openssl 1.1.1 default order.
Code:

# TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
TLS_AES_128_GCM_SHA256 (0x1301)

https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

The TLSv1.2 ciphers are in order, issue seems to be with TLSv1.3 ciphers only.

Anyone else have this issue?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2693
Location: Hilversum, NL, EU

PostPosted: Mon 22 Oct '18 21:08    Post subject: Reply with quote

The manual page you referring says:

An empty list is permissible. The default value for the this setting is:

"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

So it is ok
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6484
Location: Germany, Next to Hamburg

PostPosted: Mon 22 Oct '18 22:16    Post subject: Reply with quote

It should be

Code:

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256


EDIT FORGOT THE SSL in the first line


Last edited by James Blond on Mon 22 Oct '18 22:44; edited 1 time in total
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2693
Location: Hilversum, NL, EU

PostPosted: Mon 22 Oct '18 22:19    Post subject: Reply with quote

Edit, sorry James did not saw you post

@karhukuoma

You have:
Code:
SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_CHACHA20_POLY1305_SHA256.....

The 1.3 ones you do not define there.

Remove the 1.3 ones from it.

And add a line for all known 1.3 ciphersuites:
Code:
SSLCipherSuite TLSv1.3 TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_CCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_CHACHA20_POLY1305_SHA256


See also http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite

For the ciphersuite list see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
Back to top
karhukuoma



Joined: 31 Jan 2015
Posts: 10
Location: Finland

PostPosted: Wed 24 Oct '18 19:49    Post subject: Reply with quote

Thanks guys, configuring as James said, did the trick. The SSLCipherSuite documentation at httpd.apache.org seems a bit vague. But thanks for the info.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1