Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
SSLProtocol: Illegal protocol '"TLSv1.1"'
1,147 views
Skip to first unread message
anee...@gmail.com
Oct 13, 2017, 6:17:22 AM10/13/17
to
Hi Team,
We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013
I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0
I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7
Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7
Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?
We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013
I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0
I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.
Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7
Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7
Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?
I R A Darth Aggie
Oct 13, 2017, 3:35:49 PM10/13/17
to
On Fri, 13 Oct 2017 03:17:22 -0700 (PDT),
anee...@gmail.com <anee...@gmail.com>, in
means you will accept *all* protocols, then the rest of the stanza
doesn't matter since the rules apply left to right.
> Now iam worried whether to install these dependencies or not. Will
> they affect my running httpd instances ? Is there any other way to
> remediate this vulnerability ?
That will require a restart of your http/s service. Given that this is
a stateless transaction, this shouldn't be a huge issue. Otherwise,
you're running a potentially vulnerable service listening to the
internet.
If you're worried about compatibility with your current configuration,
you may want to run the update against a spare server, or a virtual
machine with the same software and configuration.
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
anee...@gmail.com <anee...@gmail.com>, in
<f2c0340f-9239-4aa8...@googlegroups.com> wrote:
> I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1
> +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws
> below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Shouldn't that be "-all" instead of "all"? If my memory serves, that
> I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1
> +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws
> below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
means you will accept *all* protocols, then the rest of the stanza
doesn't matter since the rules apply left to right.
> Now iam worried whether to install these dependencies or not. Will
> they affect my running httpd instances ? Is there any other way to
> remediate this vulnerability ?
a stateless transaction, this shouldn't be a huge issue. Otherwise,
you're running a potentially vulnerable service listening to the
internet.
If you're worried about compatibility with your current configuration,
you may want to run the update against a spare server, or a virtual
machine with the same software and configuration.
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
anee...@gmail.com
Oct 14, 2017, 1:40:51 PM10/14/17
to
I tried different combinations like below.
SSLProtocol all -SSLv2 -TLSv1 -- it works fine
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
SSLProtocol -All +TLSv1.1 -- It did n't work
I also tried installing mod_ssl package from redhat using rpm -ivh mod_ssl* --nodeps. Still iam getting same error.
I R A Darth Aggie
Oct 14, 2017, 5:47:38 PM10/14/17
to
On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
anee...@gmail.com <anee...@gmail.com>, in
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all
all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
If compiled with a "no-ssl3" option, then all does not include +SSLv3
> I also tried installing mod_ssl package from redhat using rpm -ivh
> mod_ssl* --nodeps. Still iam getting same error.
What is your version of OpenSSL? might be package name libssl. That is
probably the sticking point. What happens if you change SSLProtocol to
SSLProtocol +TLSv1.1 +TLSv1.2
??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2
anee...@gmail.com <anee...@gmail.com>, in
<11989b07-2758-478d...@googlegroups.com> wrote:
> SSLProtocol all -SSLv2 -TLSv1 -- it works fine
>
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
>
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
>
> SSLProtocol -All +TLSv1.1 -- It did n't work
Well, upon further review, all is correct.
> SSLProtocol all -SSLv2 -TLSv1 -- it works fine
>
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
>
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
>
> SSLProtocol -All +TLSv1.1 -- It did n't work
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all
all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
If compiled with a "no-ssl3" option, then all does not include +SSLv3
> I also tried installing mod_ssl package from redhat using rpm -ivh
> mod_ssl* --nodeps. Still iam getting same error.
probably the sticking point. What happens if you change SSLProtocol to
SSLProtocol +TLSv1.1 +TLSv1.2
??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2
anee...@gmail.com
Oct 15, 2017, 10:30:58 AM10/15/17
to
I tried above combination given by you.. but it still gives same error.. Illegal protocol
My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
Not sure if this is related to openssl version.
Regards,
Aneesh
I R A Darth Aggie
Oct 19, 2017, 4:42:22 PM10/19/17
to
On Sun, 15 Oct 2017 07:30:57 -0700 (PDT),
anee...@gmail.com <anee...@gmail.com>, in
anee...@gmail.com <anee...@gmail.com>, in
<2fc12964-9fc0-46e0...@googlegroups.com> wrote:
> I tried above combination given by you.. but it still gives same
> error.. Illegal protocol
>
> My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
>
> Not sure if this is related to openssl version.
At this point, I got nothing. Sorry.
> I tried above combination given by you.. but it still gives same
> error.. Illegal protocol
>
> My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
>
> Not sure if this is related to openssl version.
0 new messages