Intrigued by this bug (and yes, I've been able to reproduce it) I've taken a look at the source code for the latest stable version of mod_ssl
and found an explanation. Bear with me, this is gonna get amateur-stack-overflowish:
When the SSLProtocol
has been parsed, it results in a char
looking something like this:
0 1 0 0
^ ^ ^ ^
| | | SSLv1
| | SSLv2
| SSLv3
TLSv1
Upon initiating a new server context, ALL available protocols will be enabled, and the above char
is inspected using some nifty bitwise AND operations to determine what protocols should be disabled. In this case, where SSLv3 is the only protocol to have been explicitly enabled, the 3 others will be disabled.
OpenSSL supports a protocol setting for TLSv1.1, but since the SSLProtocol
does not account for this options, it never gets disabled. OpenSSL v1.0.1 has some known issues with TLSv1.2 but if it's supported I suppose the same goes for that as for TLSv1.1; it's not recognized/handled by mod_ssl and thus never disabled.
Source Code References for mod_ssl:
SSLProtocol
gets parsed at line 925 in pkg.sslmod/ssl_engine_config.c
The options used in the above function is defined at line 444 in pkg.sslmod/mod_ssl.h
All protocols gets enabled at line 586 in pkg.sslmod/ssl_engine_init.c
whereafter specific protocols gets disabled on the subsequent lines
How to disable it then?
You have a few options:
- Disable it in the OpenSSL config file with:
Protocols All,-TLSv1.1,-TLSv1.2
- Rewrite
mod_ssl
;-)
Best Answer
It is not supported natively. Support for TLS 1.1 and 1.2 was added to Windows Server 2008 R2.
See How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll.
Neither IIS provided with Windows 2003 nor Internet Explorer versions 7 and 8 (executable on Windows 2003) support TLS 1.1/TLS 1.2.
If the application uses the library provided by operating system (
schannel.dll
), then Windows 2003 supports only: SSL 2.0, SSL 3.0 and TLS 1.0.However if the application used/implemented another library, it might support the versions in question (for example Chrome and Firefox browsers support TLS 1.1 and 1.2 when running on older Windows systems as well).