logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Legacy windows os fails to communicate with openssl 1.1.1c
Author
Jayaprakash S



Joined: 05 Dec 2019
Posts: 2
Location: India

PostPosted: Thu 05 Dec '19 16:06    Post subject: Legacy windows os fails to communicate with openssl 1.1.1c Reply with quote

We are using Apache 2.4.41 compiled with the OpenSSL 1.0.2s. On hosting a server with Apache 2.4.41 (openssl 1.0.2s), we were able to access it using https from Windows XP as well as 2003 server machines (IE6).

As openssl is stopping support for 1.0.2 by the end of this year, we're forced to migrate to OpenSSL 1.1.1 series.

But, hosting an Apache(2.4.41) server with OpenSSL version 1.1.1c breaks the https communication from Windows XP and 2003 server machines(IE6).

On analyzing the issue further with Wireshark, there was a SSL handshake error (code 40). This happens because, "server hello" fails in cipher negotiation i.e. the server (openssl) doesn't supports the cipher list supported by windows xp/2003 server machines (client).

Would like to know whether there is a build available for Apache version 2.4.41 with OpenSSL 1.1.1c with enable-weak-ssl-ciphers,enable-rc4,enable-deprecated flags or not.

Thanks in advance!
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2772
Location: Hilversum, NL, EU

PostPosted: Thu 05 Dec '19 16:54    Post subject: Reply with quote

Depends on the defined SSLCipherSuite in your config.


To configure, see https://www.apachelounge.com/viewtopic.php?t=8307

The intermediate could be used for XP access, otherwise the old. Not sure about IE6.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2212
Location: Sun Diego, USA

PostPosted: Fri 06 Dec '19 4:18    Post subject: Reply with quote

This doesn't work?

SSLProtocol -all +TLSv1
SSLCipherSuite HIGH:MEDIUM:LOW:!MD5:!RC4:!3DES

if that works, try adding a ! to LOW (!LOW)
if it still works, add a ! to MEDIUM (!MEDIUM)

I like most of the world moved on from XP so I cannot test myself. I hated it but security is better that rolling the dice in my opinion Exclamation
Back to top
Jayaprakash S



Joined: 05 Dec 2019
Posts: 2
Location: India

PostPosted: Fri 06 Dec '19 13:27    Post subject: Doesn't Work even with LOW graded ciphers Reply with quote

We tried even with LOW graded ciphers. It doesn't work.
We have also tried with the SSLv3 enabled No effect.
The TLS 1.0 weaker ciphers are disabled by default in OpenSSL 1.1.1 series.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6695
Location: Germany, Next to Hamburg

PostPosted: Wed 11 Dec '19 12:26    Post subject: Reply with quote

Go with such an old browser to https://www.ssllabs.com/ssltest/viewMyClient.html and see which ciphers is supports.
Back to top


Reply to topic   Topic: Legacy windows os fails to communicate with openssl 1.1.1c View previous topic :: View next topic
Post new topic   Forum Index -> Apache