Hello,
we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
with protocol "TLSv1.0" aka "TLSv1".
With our old Apache server that worked. Spec:
Ubuntu 14.04 LTS
Apache 2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27
Apache config:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
sslscan shows the following cipher support of the old Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
Now we have a newer Apache server setup. Spec:
Ubuntu 18.04.1 LTS
Apache 2.4.29-1ubuntu4.14
OpenSSL 1.1.1-1ubuntu2.1~18.04.9
The complete Apache config. is unchanged, so still:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
But now sslscan shows for the new Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
How does this come?
Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
Thank you very much.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
we host a website which clients still need to use the cipher ECDHE-RSA-AES256-SHA
with protocol "TLSv1.0" aka "TLSv1".
With our old Apache server that worked. Spec:
Ubuntu 14.04 LTS
Apache 2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27
Apache config:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
sslscan shows the following cipher support of the old Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
So, ECDHE-RSA-AES256-SHA is offered both via TLSv1.2 and TLSv1.0.
Now we have a newer Apache server setup. Spec:
Ubuntu 18.04.1 LTS
Apache 2.4.29-1ubuntu4.14
OpenSSL 1.1.1-1ubuntu2.1~18.04.9
The complete Apache config. is unchanged, so still:
SSLProtocol -all +TLSv1.2 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
But now sslscan shows for the new Apache server:
Supported Server Cipher(s):
Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 2048 bits
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
The problem is, ECDHE-RSA-AES256-SHA is now _only_ supported via TLSv1.2, not via TLSv1.0 anymore.
How does this come?
Is it possible to make the new Apache to offer ECDHE-RSA-AES256-SHA also via TLSv1.0 again?
Thank you very much.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org