[Bug 60739] New: SSLProtocol settings seem to have no effect

classic Classic list List threaded Threaded
36 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[Bug 60739] New: SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

            Bug ID: 60739
           Summary: SSLProtocol settings seem to have no effect
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Changes in SSLProtocol seem to be ignored.

This can be observed in all SSL testers I've used.

The testssl script provides an easy way to check this, without having to wait
for minutes (like SSLLabs) for output.

Problem can be shown via...

testssl --protocols https://davidfavor.com/

Environment - Apache-4.2.5 + OpenSSL 1.0.2k + Ubuntu Yakkety.

My goal == disable TLS 1.0 for some of my hosting clients who have PCI
requirements for this level of TLS to be disabled.

None of these permutations work. In fact, I can't find any SSLProtocol setting
which changes protocols at all. In all cases SSL2 + SSL3 are disabled + all TLS
versions are enabled.

Settings tried, that fail to disable TLSv1...

# SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# SSLProtocol -All TLSv1.2
# SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

# SSLProtocol all -SSLv2 -SSLv3 -TLSv1
# SSLProtocol -all +TLSv1.2
# SSLProtocol TLSv1.2 -TLSv1
# SSLProtocol TLSv1.2
# SLProtocol -All +TLSv1.1 +TLSv1.2

SSLProtocol all -SSLv2 -SSLv3 -TLSv1

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #1 from David Favor <[hidden email]> ---
Setting SSLProtocols to -all produces expected behavior, which is an error
about no protocols.

This suggests the problem relates to setting TLSv1.2, which incorrectly seems
to also enable TLSv1.1 + TLSv1.0 so maybe this is the real problem.

The following also fail disabling TLSv1.

# SSLProtocol all -SSLv2 -SSLv3 +TLSv1.2 -TLSv1
# SSLProtocol -all +TLSv1.2 -TLSv1

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #2 from David Favor <[hidden email]> ---
The following also works oddly.

SSLProtocol -all +TLSv1

This enables TLS 1.0 + 1.1 + 1.2 rather than just 1.0 as expected.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #3 from David Favor <[hidden email]> ---
This seem to have changed somewhere between 2.4.18 + 2.4.23 as setting
SSLProtocol use to be honored.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #4 from David Favor <[hidden email]> ---
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1665151 - related Ubuntu
bug ticket.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Szőgyényi Gábor <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Michael Kaufmann <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |apache-bugzilla@michael-kau
                   |                            |fmann.ch

--- Comment #5 from Michael Kaufmann <[hidden email]> ---
I have tested this with Apache 2.4.25 and OpenSSL 1.0.2k, with global settings
and also with virtual host settings.

It works for me. For example, with "SSLProtocol -All +TLSv1.1 +TLSv1.2", TLS
1.0 is not possible, TLS 1.1 and TLS 1.2 are possible.

Could you please provide a minimal, stand-alone Apache configuration that shows
the problem?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #6 from David Favor <[hidden email]> ---
The problem seems to be an interaction between the Cipher List + SSLProtocol.

Depending on setting of Cipher List SSLProtocol seems to work or be ignored.

These settings disable TLSv1.0

# support old Android phones
SSLProtocol All -SSLv2 -SSLv3 -TLSv1

# Force using custom cipher list
SSLHonorCipherOrder on

Define sslCiphers
-ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW
Define sslCiphers
${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
SSLCipherSuite ${sslCiphers}

Other sslCiphers settings cause SSLProtocol to be ignored.

I think the fix is either to have SSLProtocol cause a prune of sslCiphers
settings or if there's a conflict between SSLProtocol + sslCiphers then have
some sort of warning about the conflict.

All in all, the problem is far more complex than it appears on the surface.

For now, I'll resolve my situation by using the above settings.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #7 from Eric Covener <[hidden email]> ---
(In reply to David Favor from comment #6)

> The problem seems to be an interaction between the Cipher List + SSLProtocol.
>
> Depending on setting of Cipher List SSLProtocol seems to work or be ignored.
>
> These settings disable TLSv1.0
>
> # support old Android phones
> SSLProtocol All -SSLv2 -SSLv3 -TLSv1
>
> # Force using custom cipher list
> SSLHonorCipherOrder on
>
> Define sslCiphers
> -ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!
> LOW
> Define sslCiphers
> ${sslCiphers}:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-
> SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
> SSLCipherSuite ${sslCiphers}
>
> Other sslCiphers settings cause SSLProtocol to be ignored.
>

Can you share a specific pair with unexpected results?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #8 from [hidden email] ---
I have similar issue. Whatever I set in SSLProtocol it's ignored.

apache2ctl -v
Server version: Apache/2.4.10 (Debian)
Server built:   Feb 24 2017 18:40:28

openssl version
OpenSSL 1.0.1t  3 May 2016

If I use the settings provided by David Favor :

SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite
ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5:!LOW:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA

I got only TLSv1.2 enabled, not TLSv1.1.

I could find a way to activate TLSv1.1, with or without TLSv1. All the time,
only TLSv1.2 (I tried a lot of different ciphers suite).

Note that if I try with the openssl s_server command, all is working as
expected.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #9 from [hidden email] ---
Fix:
> I CANNOT find a way to activate TLSv1.1, with or without TLSv1. All the time, only TLSv1.2 (I tried a lot of different ciphers suite).

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #10 from David Favor <[hidden email]> ---
Per my other comment above, it appears SSLProtocol is strongly effected by
SSLCipherSuite list.

This means SSLProtocol may or may not have any effect, based on SSLCipherSuite
list.

Likely this is a complex fix, which might be accomplished by...

1) process SSLCipherSuite

2) then removed any SSLCipherSuite ciphers based on SSLProtocol setting

Simple to describe. Complex to implement.

Another solution might be to just deprecate the SSLProtocol setting.

This would mean SSLCipherSuite determines protocol selection, which appears to
be what's actually occurring.

This would involve, removing all code related to SSLProtocol processing +
updating documentation for SSLCipherSuite saying, protocols set derive from
SSLCipherSuite list provided.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #11 from [hidden email] ---
The SSLCipherSuite seems has no effect on the protocol my side.
Whatever I put :

SSLCipherSuite
ALL:!ADH:!aNULL:!EXP:!EXPORT40:!EXPORT56:!3DES:!eNULL:!NULL:!RC4:!DES:!MD5
or
SSLCipherSuite ALL
or
SSLCipherSuite
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

I got no changes in protocol, only TLSv1.2 is enabled.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Jacob Champion <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #12 from Jacob Champion <[hidden email]> ---
I'm also unable to reproduce. httpd 2.4.25, OpenSSL 1.0.2g -- the protocols are
honored correctly with the example ciphersuite lines that have been given in
this bug.

For those who can repro: can you please provide the exact set of configuration
directives that reproduces the issue?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #13 from [hidden email] ---
Well, my bad... After trying to reproduce it on a dockerized version, I found I
add a false config hidden.....

I confirm that I can use TLSv1.1 as well as TLSv1.2 with this simple config :
SSLProtocol all -SSLv3 -TLSv1
SSLCipherSuite HIGH:!aNULL

Server version: Apache/2.4.10 (Debian)
Server built:   Feb 24 2017 18:40:28
OpenSSL 1.0.1t  3 May 2016

@David Favor : I'm not able to reproduce the issue (having TLS activated
depends of ciphers). If you have a ciphers list with which you seen some
protocols disabled, share us and I will try.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

Brad Lanam <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEEDINFO                    |NEW

--- Comment #14 from Brad Lanam <[hidden email]> ---
The letsencrypt setup process adds the following line, which
includes SSLProtocol and SSLCipherSuite setup.
Quite annoying as a grep for SSLProtocol will not find it.

    Include /etc/letsencrypt/options-ssl-apache.conf

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

William A. Rowe Jr. <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #15 from William A. Rowe Jr. <[hidden email]> ---
The ASF HTTP Server project has nothing to do with letencrypt distributed
solutions. Comment #14 does not enhance this report.

(This is distinct from mod_md, which is httpd's response for users to provision
letsencrypt certs.)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

--- Comment #16 from Brad Lanam <[hidden email]> ---
I was not entirely clear.
The letsencrypt configuration that gets installed will override any
SSLProtocol and SSLCipherSuite commands with their config.

I tried to get TLSv1 to turn off for a day before noticing the
additional configuration.

It is likely that other followers of this bug are having issues
configuring TLSv1 due to the letencrypt override.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 60739] SSLProtocol settings seem to have no effect

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60739

A.Sklepas <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #17 from A.Sklepas <[hidden email]> ---
Hi, i can confirm the issue.
I have searched all configs and VHosts no overides are made it should work but
nmap --script ssl-enum-ciphers -p 443 IP | grep TLSv
returns TLS1.0,  TLSv1.1

I also investigated the claims about letsencrypt:
Read this topic:
https://community.letsencrypt.org/t/how-to-disable-tlsv1/49117/4
On some systems the options-ssl-apache.conf seems to be included in the virtual
hosts.
"Include /etc/letsencrypt/options-ssl-apache.conf"

Anyway not in my case plus i have disabled the options in that file to be
certain.
PS. Why are we waiting to fix this one? I do see servers that have disabled
TLS1 btw...


My info: Apache/2.4.33

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

12