Thanks Daniel. SSLCipherSuite - ALL:!ADH:!EXPORT40:!EXPORT56:!LOW:!RC4:!MD5:!IDEA:+HIGH:+MEDIUM:+EXP:+eNULL SSLProtocol all -SSLv2 -SSLv3
This is the openssl version output: openssl ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export Output from the nmap scan of the server: | ssl-enum-ciphers: | TLSv1.0 | Ciphers (14) | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | TLS_DHE_RSA_WITH_SEED_CBC_SHA | TLS_RSA_WITH_3DES_EDE_CBC_SHA | TLS_RSA_WITH_AES_128_CBC_SHA | TLS_RSA_WITH_AES_256_CBC_SHA | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | TLS_RSA_WITH_RC4_128_MD5 | TLS_RSA_WITH_RC4_128_SHA | TLS_RSA_WITH_SEED_CBC_SHA | Compressors (1) |_ uncompressed Thx, DS On Thu, Jul 30, 2015 at 8:16 PM, Daniel <dferra...@gmail.com> wrote: > You should share your SSLCiphersuite and SSLProtocol values first, besides > that version of openssl is quite lacking regarding the availability of > ciphers and protocols. > > 2015-07-30 5:37 GMT+02:00 Sunil R <dexterse...@gmail.com>: > >> I’m trying to upgrade the Apache version from httpd 2.2.25 to 2.4.12. Im >> building apache with the same openssl version 0.9.8.After the upgrade I see >> that the openssl s_client query to the server fails with error: >> >> [Mon Jul 27 02:57:47.982584 2015] [ssl:info] [pid 22460:tid 1943075728] >> SSL Library Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong >> version number >> >> >> >> The openssl client version is Openssl 0.9.8g ( OpenSSL/FIPS). In the >> httpd config file I have disabled SSLv2 and SSLv3. >> >> When I enable debug options on the s_client this is the output: >> >> >> >> Linux# /isan/bin/openssl s_client -connect localhost:443 -debug -state >> -msg >> >> CONNECTED(00000003) >> >> SSL_connect:before/connect initialization >> >> write to 0x9d606b0 [0x9d61678] (124 bytes => 124 (0x7C)) >> >> 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00 .z....Q... ..9.. >> >> 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ >> >> 0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03 ..3..2../....... >> >> 0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00 ................ >> >> 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 ......@......... >> >> 0050 - 00 00 06 04 00 80 00 00-03 02 00 80 68 fd d4 c6 ............h... >> >> 0060 - 77 4c 5e ef 2f 41 d4 18-e6 f8 6d d3 9e 8c b2 2d wL^./A....m....- >> >> 0070 - b4 81 83 fd c7 63 f6 8b-fe 26 e9 97 .....c...&.. >> >> >>> SSL 2.0 [length 007a], CLIENT-HELLO >> >> 01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00 >> >> 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 >> >> 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80 >> >> 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 >> >> 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 >> >> 06 04 00 80 00 00 03 02 00 80 68 fd d4 c6 77 4c >> >> 5e ef 2f 41 d4 18 e6 f8 6d d3 9e 8c b2 2d b4 81 >> >> 83 fd c7 63 f6 8b fe 26 e9 97 >> >> SSL_connect:SSLv2/v3 write client hello A >> >> read from 0x9d606b0 [0x9d66bd8] (7 bytes => 0 (0x0)) >> >> 7175:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake >> failure:s23_lib.c:188: >> >> Linux# >> >> >> >> The SSL handshake goes through fine in these cases: >> >> 1.When I enable SSLv3, the query goes through fine. >> >> 2. When I force the TLSv1 in the s_client query. >> >> 3. With the older httpd version 2.2.25 >> Is this intentional, to honor the disable SSLv3 configured? >> >> Please help me let know what could be the issue? Let me know if any other >> details are needed. >> >> Thx, >> DS >> > > > > -- > *Daniel Ferradal* > IT Specialist > > email dferradal at gmail.com > linkedin es.linkedin.com/in/danielferradal >
