I have an Ubuntu 12.04.2 LTS server running Apache 2.2.22 with mod_ssl and OpenSSL v1.0.1.
In my vhosts config (everything else within which behaves as I would expect), I have the SSLProtocol
line with -all +SSLv3
.
With that configuration, TLS 1.1 & 1.2 are enabled and work correctly – which is counter-intuitive to me, as I would expect that only SSLv3 would be enabled given that configuration.
I can enable/disable TLSv1 just fine with -/+TSLv1
, and it works as expected. But +/-TLSv1.1
and +/-TLSv1.2
are not valid configuration options – so I can't disable them that way.
As for why I'd want to do this – I'm dealing with a third party application (which I have no control over) that has some buggy behavior with TLS enabled servers, and I need to completely disable it to move forward.
Best Answer
Intrigued by this bug (and yes, I've been able to reproduce it) I've taken a look at the source code for the latest stable version of
mod_ssl
and found an explanation. Bear with me, this is gonna get amateur-stack-overflowish:When the
SSLProtocol
has been parsed, it results in achar
looking something like this:Upon initiating a new server context, ALL available protocols will be enabled, and the above
char
is inspected using some nifty bitwise AND operations to determine what protocols should be disabled. In this case, where SSLv3 is the only protocol to have been explicitly enabled, the 3 others will be disabled.OpenSSL supports a protocol setting for TLSv1.1, but since the
SSLProtocol
does not account for this options, it never gets disabled. OpenSSL v1.0.1 has some known issues with TLSv1.2 but if it's supported I suppose the same goes for that as for TLSv1.1; it's not recognized/handled by mod_ssl and thus never disabled.Source Code References for mod_ssl:
SSLProtocol
gets parsed at line 925 inpkg.sslmod/ssl_engine_config.c
The options used in the above function is defined at line 444 in
pkg.sslmod/mod_ssl.h
All protocols gets enabled at line 586 in
pkg.sslmod/ssl_engine_init.c
whereafter specific protocols gets disabled on the subsequent linesHow to disable it then?
You have a few options:
Protocols All,-TLSv1.1,-TLSv1.2
mod_ssl
;-)