logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: VS17 build :: rejects TLSv1.0 and TLSv1.1 ?
Author
Mg



Joined: 04 Jun 2014
Posts: 4

PostPosted: Thu 17 Nov '22 15:09    Post subject: Reply with quote

Is it possible to enable TLSv1 and TLSv1.1 with this build?

I tried:
SSLProtocol all -SSLv2 -SSLv3 +TLSv1 +TLSv1.1
But the apache server rejects any TLS 1.0 and TLS 1.1 ciphers.

If yes: how?
If not: which component prohibits it? mod_ssl? openssl3.0.7?

(I know, I shouldn't, but a few clients with legacy apps require it)

If it's not possible, I will have to stop using apache lounge builds from now on Sad
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 305
Location: UK

PostPosted: Fri 18 Nov '22 21:13    Post subject: Reply with quote

The security world continues to move on, and TLSv1.0 / TLSv1.1 are both out of favour and considered end of life for several years now.

So presume your Apache log contains messages of this form:-
Code:

[Fri Nov 18 14:23:48.117249 2022] [ssl:info] [pid 12104:tid 1904] SSL Library Error: error:0A000076:SSL routines::no suitable signature algorithm
[Fri Nov 18 14:27:36.481373 2022] [ssl:info] [pid 12104:tid 1904] SSL Library Error: error:0A000102:SSL routines::unsupported protocol

This TLS restriction is basically down to the OpenSSL support library, so you can't really blame the Apache Lounge for this, when they're simply tracking the latest security fixes and code features in their builds. Equally, most browsers no longer support TLSv1.0 / TLSv1.1, so doesn't that impact your client connections too, or do you have some legacy application making these connections?

Either way, if you really need to support these protocols for certain legacy clients, then I'd suggest moving that service to it's own separate platform using an earlier release of Apache / OpenSSL, and would assume your security people would fully support (let alone mandate) such a move.

If you had to, you could equally build your own release of code using the following Apache Lounge HOWTO, https://www.apachelounge.com/viewtopic.php?t=8609, where you could specify your own version and build options for OpenSSL.

TLS 1.0, and TLS 1.1 only work at security level 0, not the current OpenSSL default of security level 1, so you could pass -DOPENSSL_TLS_SECURITY_LEVEL=0 to the OpenSSL build process, to force it to provide legacy TLS support. I can confirm this works with release 3.0.7 coupled to Apache 2.4.54
Back to top
Mg



Joined: 04 Jun 2014
Posts: 4

PostPosted: Thu 15 Dec '22 12:29    Post subject: Workaround found Reply with quote

I found a workaround:

patch openssl.cnf in apache/conf directory:

Code:


[openssl_init]
...
ssl_conf = ssl_sect



...
[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT@SECLEVEL=0
Back to top


Reply to topic   Topic: VS17 build :: rejects TLSv1.0 and TLSv1.1 ? View previous topic :: View next topic
Post new topic   Forum Index -> Apache