logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: How to disable TLS 1.1 while enabling TLS 1.0?
Author
majidex



Joined: 31 Jul 2019
Posts: 2
Location: Japan

PostPosted: Wed 31 Jul '19 8:49    Post subject: How to disable TLS 1.1 while enabling TLS 1.0? Reply with quote

The ones I use are:
Code:
D:\Apache24\bin>httpd.exe -v
Server version: Apache/2.4.39 (Win64)
Apache Lounge VS16 Server built:   May 28 2019 17:12:51

D:\Apache24\bin>openssl.exe version
OpenSSL 1.1.1c  28 May 2019

We are currently migrating servers from Apache 2.2 to Apache 2.4.
In order to maintain compatibility, while disabling TLS 1.1, I made the following settings to enable TLS 1.0.
Code:
SSLProtocol all -TLSv1.1 +TLSv1

However, disabling TLS 1.1 will also disable TLS 1.0 and will not work well.

Is there anyone who knows how to set it up?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Wed 31 Jul '19 14:35    Post subject: Reply with quote

Use -all and enable only what you need.

Code:

SSLProtocol -all +TLSv1 +WhatEverElse


Example

Code:

SSLProtocol -all +TLSv1.2 +TLSv1.3
Back to top
majidex



Joined: 31 Jul 2019
Posts: 2
Location: Japan

PostPosted: Wed 31 Jul '19 15:41    Post subject: Reply with quote

Thank you for your reply.
I tried, but still TLSv1 is not enabled.

Code:
SSLProtocol -all +TLSv1 +TLSv1.2
SSLProxyProtocol -all +TLSv1 +TLSv1.2


Verified by openssl s_client

Code:
D:\Apache24\bin>openssl.exe s_client -connect localhost:443 -tls1
CONNECTED(00000104)
3452:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ss
l\record\rec_layer_s3.c:1536:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 104 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1564579968
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---


Are there any shortages or omissions in the cipher suite? . .
Here is the configuration of the cipher suite.

Code:
# default setting
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6661
Location: Germany, Next to Hamburg

PostPosted: Wed 31 Jul '19 18:15    Post subject: Reply with quote

If you use a recent version of apache 2.4 from apache lounge which includes OpenSSL 1.1.1

Code:

SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1


I would not use TLS 1.0 nor 1.1 any longer
Back to top


Reply to topic   Topic: How to disable TLS 1.1 while enabling TLS 1.0? View previous topic :: View next topic
Post new topic   Forum Index -> Apache