I have an interesting problem with two Linux servers with Apache 2.4.9
: i'm trying to disable SSL v3 and RC4 in order to block POODLE and keep SSL Labs happy. However, whenever i turn off SSL v3, i also lose TLS 1.1 and 1.2 (keeping only TLS 1.0).
Here's my Apache version:
$ apachectl -v
Server version: Apache/2.4.9 (Unix)
Server built: Mar 24 2014 10:51:20
And OpenSSL:
$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
And Linux:
$ cat /proc/version
Linux version 2.6.32-279.11.1.el6.x86_64 (mockbuild@x86-009.build.bos.redhat.com) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Sat Sep 22 07:10:26 EDT 2012
Here's what i tried:
# TLS 1.0 only
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite MEDIUM:HIGH:!RC4
This first one is what i would expect to work, and i have used it successfully in other Apache installations. The result is TLS 1.0 only.
# SSLv3, TLS1.0, 1.1, 1.2
SSLProtocol all -SSLv2
SSLCipherSuite MEDIUM:HIGH:!RC4
This turns off RC4, and keeps TLS 1.0, 1.1 and 1.2, but SSL v3 is also enabled.
finally:
# TLS 1.2 only
SSLProtocol all
SSLCipherSuite MEDIUM:HIGH:!RC4:!SSLv3
This combination results in TLS 1.2 only (no TLS 1.0 or 1.1, no SSL).
I'm thinking this is a bug in mod_ssl in the Apache i have. I'm curious if anyone here has seen this, and if you have found a way to have TLS 1.0, 1.1 and 1.2 enabled, but SSL disabled.
Thanks.
Best Answer
Is the use of MEDIUM preventing TLS 1.1 and 1.2 from being enabled? Below is my config. I don't remember why I forced the cipher order. I just checked at Qualys and it shows Only TLS is enabled 1.0, 1.1, 1.2.