Discussion:
SSLProtocol: Illegal protocol '"TLSv1.1"'
(too old to reply)
a***@gmail.com
2017-10-13 10:17:22 UTC
Permalink
Hi Team,


We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013

I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0

I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'

Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.

Package Arch Version Repository Size
=============================================================================================================================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7
Installing for dependencies:
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7



Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?
I R A Darth Aggie
2017-10-13 19:35:48 UTC
Permalink
On Fri, 13 Oct 2017 03:17:22 -0700 (PDT),
Post by a***@gmail.com
I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1
+TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws
below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Shouldn't that be "-all" instead of "all"? If my memory serves, that
means you will accept *all* protocols, then the rest of the stanza
doesn't matter since the rules apply left to right.
Post by a***@gmail.com
Now iam worried whether to install these dependencies or not. Will
they affect my running httpd instances ? Is there any other way to
remediate this vulnerability ?
That will require a restart of your http/s service. Given that this is
a stateless transaction, this shouldn't be a huge issue. Otherwise,
you're running a potentially vulnerable service listening to the
internet.

If you're worried about compatibility with your current configuration,
you may want to run the update against a spare server, or a virtual
machine with the same software and configuration.
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
a***@gmail.com
2017-10-14 17:40:50 UTC
Permalink
Post by a***@gmail.com
Hi Team,
We have Redhat 7.3/Apache 2.2.29/OpenSSL 1.0.1e-fips 11 Feb 2013
I have to remediate a vulnerability SSL/TLS Server supports TLSv1.0
I tried to add the line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2" in httpd.conf And restarted Apached, it throws below error "SSLProtocol: Illegal protocol '"TLSv1.1"'
Then to remediate that i tried install mod_ssl package. But it is asking me to install the dependencies like httpd-2.4.6.
Package Arch Version Repository Size
=============================================================================================================================================================
mod_ssl x86_64 1:2.4.6-40.el7
apr x86_64 1.4.8-3.el7
apr-util x86_64 1.5.2-6.el7
httpd x86_64 2.4.6-40.el7
httpd-tools x86_64 2.4.6-40.el7
Now iam worried whether to install these dependencies or not. Will they affect my running httpd instances ? Is there any other way to remediate this vulnerability ?
Hello Darth Aggie,

I tried different combinations like below.

SSLProtocol all -SSLv2 -TLSv1 -- it works fine

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work

SSLProtocol -All +TLSv1.1 -- It did n't work


I also tried installing mod_ssl package from redhat using rpm -ivh mod_ssl* --nodeps. Still iam getting same error.
I R A Darth Aggie
2017-10-14 21:47:37 UTC
Permalink
On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
Post by a***@gmail.com
SSLProtocol all -SSLv2 -TLSv1 -- it works fine
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
SSLProtocol -All +TLSv1.1 -- It did n't work
Well, upon further review, all is correct.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol

Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all

all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

If compiled with a "no-ssl3" option, then all does not include +SSLv3
Post by a***@gmail.com
I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.
What is your version of OpenSSL? might be package name libssl. That is
probably the sticking point. What happens if you change SSLProtocol to

SSLProtocol +TLSv1.1 +TLSv1.2

??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
a***@gmail.com
2017-10-15 14:30:57 UTC
Permalink
Post by I R A Darth Aggie
On Sat, 14 Oct 2017 10:40:50 -0700 (PDT),
Post by a***@gmail.com
SSLProtocol all -SSLv2 -TLSv1 -- it works fine
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -- it did n't work
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2 -- it did n't work
SSLProtocol -All +TLSv1.1 -- It did n't work
Well, upon further review, all is correct.
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol
Available protocols: SSLv3, TLSv1, TLSv1.1, TLSv1.2, and all
all == +SSLv3 +TLSv1 (OpenSSL < v1.0.1)
all == +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
If compiled with a "no-ssl3" option, then all does not include +SSLv3
Post by a***@gmail.com
I also tried installing mod_ssl package from redhat using rpm -ivh
mod_ssl* --nodeps. Still iam getting same error.
What is your version of OpenSSL? might be package name libssl. That is
probably the sticking point. What happens if you change SSLProtocol to
SSLProtocol +TLSv1.1 +TLSv1.2
??? That works for me, but I'm running Debian with apache 2.4.27. I
don't see why one would need "all" if you specify the secure
TLSv1.(1|2) variants. My available SSL libraries are 1.1.0 and 1.0.2
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
Hello

I tried above combination given by you.. but it still gives same error.. Illegal protocol

My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

Not sure if this is related to openssl version.


Regards,

Aneesh
I R A Darth Aggie
2017-10-19 20:42:21 UTC
Permalink
On Sun, 15 Oct 2017 07:30:57 -0700 (PDT),
Post by a***@gmail.com
I tried above combination given by you.. but it still gives same error.. Illegal protocol
My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013
Not sure if this is related to openssl version.
At this point, I got nothing. Sorry.
--
Consulting Minister for Consultants, DNRC
I can please only one person per day. Today is not your day. Tomorrow
isn't looking good, either.
I am BOFH. Resistance is futile. Your network will be assimilated.
Loading...