Thanks for your answer, Stefan.
So I would suggest to make the documentation of SSLProtocol clear like this:
"
You need to name the 'highest' protocol and the 'lowest' protocol, and all
protocols in between them, without gap.
E.g. if You want to support TLSv1.2 and TLSv1.0, you need to set
SSL
at the same time?
> Gesendet: Mittwoch, 02. Juni 2021 um 17:29 Uhr
> Von: "Hildegard Meier"
> An: users@httpd.apache.org
> Betreff: [users@httpd] Newer Apache does not offer TLS cipher with TLSv1
> anymore
>
> Hello,
>
> we host a website which clients stil
When changing
SSLProtocol -all +TLSv1.2 +TLSv1
to
SSLProtocol -all +TLSv1
then TLSv1.0 support is there:
sslscan gives:
Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-256 DHE 256
Accepted TLSv1.0 256 bits AES
P.S.
OpenSSL seems to offer the cipher ECDHE-RSA-AES256-SHA via TLSv1 on the new
server (Ubuntu 18):
openssl ciphers -v -s -tls1 | grep '^ECDHE-RSA-AES256-SHA '
ECDHE-RSA-AES256-SHATLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
-
Hello,
we host a website which clients still need to use the cipher
ECDHE-RSA-AES256-SHA
with protocol "TLSv1.0" aka "TLSv1".
With our old Apache server that worked. Spec:
Ubuntu 14.04 LTS
Apache 2.4.7-1ubuntu4.22
OpenSSL 1.0.1f-1ubuntu2.27
Apache config:
SSLProtocol -all +TL
Yann Ylavic"
> An: users@httpd.apache.org
> Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote:
> >
> > I thought about something like that as cause, but since the client IP is
> >
SSLCipherSuite -all:MD5
is served by Apache (at least with old Ubuntu 14) as expected.
Get's s F rating on
https://www.ssllabs.com/ssltest/
though :)
Nevermind, that SSLCipherSuite was just an example, I should have taken one that is really used, to prevent complication.
Gese
Thank you very much Eric, for your quick response and explanation. Do you have
a source for it (aside of the source code ;) ?
I thought about something like that as cause, but since the client IP is known
from the very first start of the request, before TLS handshake, I thought it
could be eval
P.S. Nevermind the port 4433 in the example, that's because load balancer port
natting.
The vHost works fine with outbound port 443. This question is only about the
if/else block in combination with SSLCipherSuite.
> Gesendet: Mittwoch, 24. Februar 2021 um 14:12 Uhr
> Von: "
Hello,
having Ubuntu 14 server with Apache 2.4.7
I configured to have SSLCipherSuite dependent on the client IP address.
But the If/Else directive seems to be just silently ignored, only and always
the global default SSLCipherSuite value is in effect.
The SSLCipherSuite given in the If or Else
Hi Yann,
thanks for Your support. Your suggestion to comment(remove) the Mutex directive
from /etc/apache2/apache2.conf solved the problem here.
No warning/emergency errors anymore. :)
Output of "apache2ctl -t -D DUMP_RUN_CFG" is now:
Mutex default: dir="/var/run/apache2/" mechanism=default
> There is an old dev@ thread that talks about the same deadlock
> avoidance issues from fcntl
> on other platforms (at least Solaris). I think it's not really usable
> in httpd as soon as you have two mutexes.
Read that, thought it would be only special for Solaris...
---
> > Mutex file:${APACHE_LOCK_DIR} default
>
> Does it come from Ubuntu?
> If so, I don't any modern Linux should configure the "file" mutex
> mechanism by default, and you could possibly report it...
Yes, that is the entry of Ubuntu 14 ("Trusty") default apache2.conf file, see
http://packages.u
2016 um 16:44 Uhr
> Von: "hildegard meier"
> An: users@httpd.apache.org
> Betreff: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock
> avoided: AH02026: Failed to acquire SSL session cache lock"
>
> OS:
> Ubuntu 14.04 LTS
>
> Kernel:
> 3.
We have also this messages with severity "emergency":
grep emerg /var/log/apache2/error.log
[Wed Mar 09 07:09:31.099331 2016] [mpm_worker:emerg] [pid 26526:tid
139668485949184] (35)Resource deadlock avoided: AH00273: apr_proc_mutex_lock
failed. Attempting to shutdown process gracefully.
[Wed Mar
s@httpd.apache.org
> Betreff: Re: [users@httpd] Lots of messages "[ssl:warn] Resource deadlock
> avoided: AH02026: Failed to acquire SSL session cache lock"
>
> On Tue, Mar 8, 2016 at 4:44 PM, hildegard meier wrote:
> > OS:
> > Ubuntu 14.04 L
OS:
Ubuntu 14.04 LTS
Kernel:
3.13.0-79-generic x86_64
Apache:
2.4.7-1ubuntu4.5
The Host has just been release-upgraded (with Ubuntu do-release-upgrade
command) From Ubuntu 12.04 LTS
All Apache config files are the new ones, old configuration entries have been
adopted to the new config files m
17 matches
Mail list logo
