Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Apache>
  3. Users
Newer Apache does not offer TLS cipher with TLSv1 anymore
daku8938 at gmx
Jun 2, 2021, 8:29 AM
Post #1 of 6 (448 views)
Permalink
Hello,

we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA

with protocol "TLSv1.0" aka "TLSv1".

With our old Apache server that worked. Spec:
Ubuntu 14.04 LTS
Apache 2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27

Apache config:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA

sslscan shows the following cipher support of the old Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256

So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.

Now we have a newer Apache server setup. Spec:
Ubuntu 18.04.1 LTS
Apache 2.4.29-1ubuntu4.14
OpenSSL 1.1.1-1ubuntu2.1~18.04.9

The complete Apache config. is unchanged, so still:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA

But now sslscan shows for the new Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256

The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.

How does this come?

Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?

Thank you very much.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Newer Apache does not offer TLS cipher with TLSv1 anymore [ In reply to ]
daku8938 at gmx
Jun 2, 2021, 9:24 AM
Post #2 of 6 (448 views)
Permalink
P.S.

OpenSSL seems to offer the cipher ECDHE-RSA-AES256-SHA via TLSv1 on the new server (Ubuntu 18):

openssl ciphers -v -s -tls1 | grep '^ECDHE-RSA-AES256-SHA '
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Newer Apache does not offer TLS cipher with TLSv1 anymore [ In reply to ]
daku8938 at gmx
Jun 3, 2021, 12:54 AM
Post #3 of 6 (448 views)
Permalink
When changing

SSLProtocol -all +TLSv1.2 +TLSv1

to

SSLProtocol -all +TLSv1

then TLSv1.0 support is there:

sslscan gives:

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits AES256-SHA


So this seems to be an issue of protocol preference in Apache?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Newer Apache does not offer TLS cipher with TLSv1 anymore [ In reply to ]
daku8938 at gmx
Jun 3, 2021, 9:17 PM
Post #4 of 6 (448 views)
Permalink
Solution to have TLSv1.2 and TLSv1.0 support together again with Apache 2.4.29 on Ubuntu 18:

Changing

SSLProtocol -all +TLSv1.2 +TLSv1

to

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1

This gives the following sslscan output:

Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.2 256 bits AES256-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.1 256 bits AES256-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits AES256-SHA

and connection with all three protocols with curl works, also from the old client which is not TLSv1.2 capable.

But I want only to allow TLSv1.2 and TLSv1.0, TLSv1.1 is not needed, so I do not want to allow it.

By luck, I found this Apache bug report about chaotic behaviour resulting from different combinations of options SSLProtocol and SSLCipherSuite:

https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

This is really scary: Undocumented change of behaviour, behaviour that is not reasonable/logic, nearly zero documentation of option SSLProtocol.

Any explanation by the Apache devs, why
SSLProtocol -all +TLSv1.2 +TLSv1
did work with Apache 2.4.7 on Ubuntu 14

but with Apache 2.4.29 on Ubuntu 18 one has to set
SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
to get TLSv1.0 protocol support?

Any suggestion how I can have TLSv1.2 and TLSv1.0 support, but no TLSv1.1 support at the same time?


> Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr
> Von: "Hildegard Meier" <daku8938@gmx.de>
> An: users@httpd.apache.org
> Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore
>
> Hello,
>
> we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
>
> with protocol "TLSv1.0" aka "TLSv1".
>
> With our old Apache server that worked. Spec:
> Ubuntu 14.04 LTS
> Apache 2.4.7-1ubuntu4.22
> OpenSSL 1.0.1f-1ubuntu2.27
>
> Apache config:
> SSLProtocol -all +TLSv1.2 +TLSv1
> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>
> sslscan shows the following cipher support of the old Apache server:
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>
> So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
>
> Now we have a newer Apache server setup. Spec:
> Ubuntu 18.04.1 LTS
> Apache 2.4.29-1ubuntu4.14
> OpenSSL 1.1.1-1ubuntu2.1~18.04.9
>
> The complete Apache config. is unchanged, so still:
> SSLProtocol -all +TLSv1.2 +TLSv1
> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>
> But now sslscan shows for the new Apache server:
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>
> The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
>
> How does this come?
>
> Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
>
> Thank you very much.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Newer Apache does not offer TLS cipher with TLSv1 anymore [ In reply to ]
stefan.eissing at greenbytes
Jun 4, 2021, 3:23 AM
Post #5 of 6 (448 views)
Permalink
Hildegard,

I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0.

In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use.

In Apache, the configuration handling needed to accomodate for that and the implementation looks for the "highest" protocol and then scans "downward". If a protocol is not listed, it basically stops. I am not sure why this decision was taken, but it seems that one wanted to avoid enabling a protocol that was not configured.

I believe the documentation could be clearer on this. As a token of our good intentions, please see a <https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslprotocol> that since Apache 2.4.42 one can configure different protocols for all VirtualHost. So if you need TLSv1 only on a particular host, you can disable it on all others.

Hope this helps,

Stefan

> Am 04.06.2021 um 06:17 schrieb Hildegard Meier <daku8938@gmx.de>:
>
> Solution to have TLSv1.2 and TLSv1.0 support together again with Apache 2.4.29 on Ubuntu 18:
>
> Changing
>
> SSLProtocol -all +TLSv1.2 +TLSv1
>
> to
>
> SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
>
> This gives the following sslscan output:
>
> Supported Server Cipher(s):
> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.2 256 bits AES256-SHA
> Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.1 256 bits AES256-SHA
> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
> Accepted TLSv1.0 256 bits AES256-SHA
>
> and connection with all three protocols with curl works, also from the old client which is not TLSv1.2 capable.
>
> But I want only to allow TLSv1.2 and TLSv1.0, TLSv1.1 is not needed, so I do not want to allow it.
>
> By luck, I found this Apache bug report about chaotic behaviour resulting from different combinations of options SSLProtocol and SSLCipherSuite:
>
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60739
>
> This is really scary: Undocumented change of behaviour, behaviour that is not reasonable/logic, nearly zero documentation of option SSLProtocol.
>
> Any explanation by the Apache devs, why
> SSLProtocol -all +TLSv1.2 +TLSv1
> did work with Apache 2.4.7 on Ubuntu 14
>
> but with Apache 2.4.29 on Ubuntu 18 one has to set
> SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1
> to get TLSv1.0 protocol support?
>
> Any suggestion how I can have TLSv1.2 and TLSv1.0 support, but no TLSv1.1 support at the same time?
>
>
>> Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr
>> Von: "Hildegard Meier" <daku8938@gmx.de>
>> An: users@httpd.apache.org
>> Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1 anymore
>>
>> Hello,
>>
>> we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
>>
>> with protocol "TLSv1.0" aka "TLSv1".
>>
>> With our old Apache server that worked. Spec:
>> Ubuntu 14.04 LTS
>> Apache 2.4.7-1ubuntu4.22
>> OpenSSL 1.0.1f-1ubuntu2.27
>>
>> Apache config:
>> SSLProtocol -all +TLSv1.2 +TLSv1
>> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>>
>> sslscan shows the following cipher support of the old Apache server:
>> Supported Server Cipher(s):
>> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
>> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>>
>> So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
>>
>> Now we have a newer Apache server setup. Spec:
>> Ubuntu 18.04.1 LTS
>> Apache 2.4.29-1ubuntu4.14
>> OpenSSL 1.1.1-1ubuntu2.1~18.04.9
>>
>> The complete Apache config. is unchanged, so still:
>> SSLProtocol -all +TLSv1.2 +TLSv1
>> SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
>>
>> But now sslscan shows for the new Apache server:
>> Supported Server Cipher(s):
>> Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
>> Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
>> Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
>>
>> The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
>>
>> How does this come?
>>
>> Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
>>
>> Thank you very much.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: Newer Apache does not offer TLS cipher with TLSv1 anymore [ In reply to ]
daku8938 at gmx
Jun 8, 2021, 1:41 AM
Post #6 of 6 (446 views)
Permalink
Thanks for your answer, Stefan.

So I would suggest to make the documentation of SSLProtocol clear like this:

"
You need to name the 'highest' protocol and the 'lowest' protocol, and all protocols in between them, without gap.

E.g. if You want to support TLSv1.2 and TLSv1.0, you need to set

SSLProtocol -all +TLSv1.2 +TLSv1.1 +TLSv1

If you would only set

SSLProtocol -all +TLSv1.2 +TLSv1

Apache would stop at TLSv1.2 because there is a gap in the protocol list, and only support TLSv1.2

If you only want to support TLSv1.2, you would set

SSLProtocol TLSv1.2
"

I mean, this is weird, but if it is really like so, you should be brave and document this weirdness like it is, or fix it.

How could the useres figure this behaviour out otherwise? It took me hours to find the solution, and only by guessing and trying.


> I believe this is the result of a deliberate change in the OpenSSL API when going to version 1.1.0.
>
> In earlier versions of OpenSSL one could switch on/off individual protocols, whereas now one specifies a minimum and maximum TLS version to use.
>
> In Apache, the configuration handling needed to accomodate for that and the implementation looks for the "highest" protocol and then scans "downward". If a protocol is not listed, it basically stops. I am not sure why this decision was taken, but it seems that one wanted to avoid enabling a protocol that was not configured.
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal