issue with SSL and Apache 2.4.43

classic Classic list List threaded Threaded
3 messages Options
Tim
Reply | Threaded
Open this post in threaded view
|

issue with SSL and Apache 2.4.43

Tim
hey team,

We recently were informed that Apache 2.4.41 had some vulnerabilities so
we compiled 2.4.43 [Solaris 11.3].
We also compiled OpenSSL 1.1.1g.

And after adding our uniqueness to the httpd.conf and
extra/httpd-ssl.conf files and running apachectl -t
and received an OK. We started Apache and all appears well, note: we are
using the same SSL certs that
worked fine in 2.4.41, however, when we try to connect to our site via
ANY browser we get some sort of
error related to TLS not configured properly.

Now 2.4.43 is so new there is very little in actual Google searches.

Now sure what else I should add to this...

Any information is appreciated.

Tim





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: issue with SSL and Apache 2.4.43

Chris Punches
Let's start with the error.  Can you show your curl output and any relevant httpd logs?

How are your ciphers?  What's in your conf?

On Mon, Jun 1, 2020 at 2:54 PM Tim <[hidden email]> wrote:
hey team,

We recently were informed that Apache 2.4.41 had some vulnerabilities so
we compiled 2.4.43 [Solaris 11.3].
We also compiled OpenSSL 1.1.1g.

And after adding our uniqueness to the httpd.conf and
extra/httpd-ssl.conf files and running apachectl -t
and received an OK. We started Apache and all appears well, note: we are
using the same SSL certs that
worked fine in 2.4.41, however, when we try to connect to our site via
ANY browser we get some sort of
error related to TLS not configured properly.

Now 2.4.43 is so new there is very little in actual Google searches.

Now sure what else I should add to this...

Any information is appreciated.

Tim





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Tim
Reply | Threaded
Open this post in threaded view
|

Re: issue with SSL and Apache 2.4.43

Tim
I have only tried to connecting to the site via a Web Browser: Chrome,
IE, Edge and FireFox.
There are no errors in the Apache logs, well very little. For all
intense and purposes it seems Apache is A OK.

Here are my SSL settings. like I said apachectl -t is Syntax OK.

httpd.conf:SSLPassPhraseDialog builtin
httpd.conf:SSLSessionCache         shmcb:/var/cache/httpd/sslcache(512000)
httpd.conf:SSLSessionCacheTimeout  300
httpd.conf:SSLRandomSeed startup file:/dev/urandom  256
httpd.conf:SSLRandomSeed connect builtin
httpd.conf:SSLCryptoDevice builtin

extra/httpd-ssl.conf:SSLCipherSuite
 ALL:!ADH:!EXPORT:!SSLv2:+HIGH:!MEDIUM:!LOW:!3DES:!RC4
extra/httpd-ssl.conf:SSLHonorCipherOrder off
extra/httpd-ssl.conf:SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
extra/httpd-ssl.conf:SSLStaplingCache
"shmcb:/web/applications/apache-2.4.43/logs/ssl_stapling(32768)"
extra/httpd-ssl.conf:SSLEngine on
extra/httpd-ssl.conf:SSLCertificateFile
"/web/applications/apache-2.4.43/conf/server.crt"
extra/httpd-ssl.conf:SSLCertificateKeyFile
"/web/applications/apache-2.4.43/conf/server.key"
extra/httpd-ssl.conf:SSLCertificateChainFile
"/web/applications/apache-2.4.43/conf/DigiCertCA.crt"  

Here are what I see from the various Browsers.

====================================================================================================================

IE
Can’t connect securely to this page
This might be because the site uses outdated or unsafe TLS security
settings. If this keeps happening, try contacting the website’s owner.

==============================================================================

Firefox
Secure Connection Failed

An error occurred during a connection to server1.com:8090
<http://ai8frdctd01.ebiz.verizon.com:8090>. Peer’s certificate has an
invalid signature.

Error code: SEC_ERROR_BAD_SIGNATURE
The page you are trying to view cannot be shown because the authenticity
of the received data could not be verified.
 
===============================================================================

Edge


  Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security
settings. If this keeps happening, try contacting the website’s owner.

===============================================================================
Chrome


  This site can’t provide a secure connection

*server1.com <http://ai8frdctd01.ebiz.verizon.com>* sent an invalid
response.

  * Try running Windows Network Diagnostics.

ERR_SSL_PROTOCOL_ERROR

#################################################################################################################

here is some output from using OpenSSL.


============================================================================

$ openssl s_client -connect server1.com:8090 <http://server1.com:8090>
-status -servername server1.com <http://server1.com>

CONNECTED(00000005)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore
CyberTrust Root
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2
verify return:1
depth=0 C = US, ST = Florida, L = Temple Terrace, O = Verizon Data
Services LLC, CN = server1.com <http://server1.com>
verify return:1
_/140072697692608:error:0407E086:rsa
routines:RSA_verify_PKCS1_PSS_mgf1:last octet
invalid:../crypto/rsa/rsa_pss.c:88:
140072697692608:error:1417B07B:SSL routines:tls_process_cert_verify:bad
signature:../ssl/statem/statem_lib.c:492:
---/_
Certificate chain
 0 s:C = US, ST = Florida, L = Temple Terrace, O = Verizon Data Services
LLC, CN = server1.com <http://server1.com>
   i:C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com
<http://www.digicert.com>, CN = DigiCert Baltimore CA-2 G2
   i:C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=C = US, ST = Florida, L = Temple Terrace, O = Verizon Data
Services LLC, CN = server1.com <http://server1.com>

issuer=C = US, O = DigiCert Inc, OU = www.cert.com
<http://www.cert.com>, CN = Cert Balt CA-2 G2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3941 bytes and written 346 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Apache Error_log
========================================================================
[Mon Jun 01 23:38:49.682080 2020] [ssl:info] [pid 5055] [client
10.10.10.10:53148 <http://10.69.32.10:53148>] AH01964: Connection to
child 6 established (server server1.com:8090 <http://server1.com:8090>)
[Mon Jun 01 23:38:49.687293 2020] [ssl:debug] [pid 5055]
ssl_engine_kernel.c(2351): [client 10.10.10.10:53148
<http://10.69.32.10:53148>] AH02043: SSL virtual host for servername
server1.com <http://server1.com> found
[Mon Jun 01 23:38:50.206012 2020] [ssl:debug] [pid 5055]
ssl_engine_io.c(1368): (70014)End of file found: [client
10.10.10.10:53148 <http://10.69.32.10:53148>] AH02007: SSL handshake
interrupted by system [Hint: Stop button pressed in browser?!]
[Mon Jun 01 23:38:50.206167 2020] [ssl:info] [pid 5055] [client
10.10.10.10:53148 <http://10.69.32.10:53148>] AH01998: Connection closed
to child 6 with abortive shutdown (server server1.com:8090
<http://server1.com:8090>)


On 6/1/2020 12:58 PM, Chris Punches wrote:

> Let's start with the error.  Can you show your curl output and any
> relevant httpd logs?
>
> How are your ciphers?  What's in your conf?
>
> On Mon, Jun 1, 2020 at 2:54 PM Tim <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     hey team,
>
>     We recently were informed that Apache 2.4.41 had some
>     vulnerabilities so
>     we compiled 2.4.43 [Solaris 11.3].
>     We also compiled OpenSSL 1.1.1g.
>
>     And after adding our uniqueness to the httpd.conf and
>     extra/httpd-ssl.conf files and running apachectl -t
>     and received an OK. We started Apache and all appears well, note:
>     we are
>     using the same SSL certs that
>     worked fine in 2.4.41, however, when we try to connect to our site via
>     ANY browser we get some sort of
>     error related to TLS not configured properly.
>
>     Now 2.4.43 is so new there is very little in actual Google searches.
>
>     Now sure what else I should add to this...
>
>     Any information is appreciated.
>
>     Tim
>
>
>
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail: [hidden email]
>     <mailto:[hidden email]>
>     For additional commands, e-mail: [hidden email]
>     <mailto:[hidden email]>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]