Check your Openssl ciphers to see if it supports TLS 1.2
Try:

SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2
SSLCipherSuite
 
HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH

# openssl ciphers -tls1

On Wed, Jun 23, 2021 at 4:53 PM Pavel Heimlich, a.k.a. hajma <
tropikha...@gmail.com> wrote:

> Hi,
> I use
> ErrorDocument 400 "https://myserver:215";
> to achieve redirection to secure connection for anyone who would access my
> server with just 'http://myserver:215'.
>
> This works as long as there's
> SSLProtocol TLSv1.1 +TLSv1.2
> specified in the configuration. However when I change that to just
> SSLProtocol TLSv1.2
> it stops working and the client gets "The connection was reset
> The connection to the server was reset while the page was loading."
> in their browser.
>
> I guess this is because Apache calls different OpenSSL functions based on
> the config setting at
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643
> or
>
> https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649
>
> and I am not sure if this is something that could be dealt with within
> Apache.
> Would you consider this worth logging a bug?
> Or would there be another way to achieve this?
>
> Thanks!
> P.
>
> P.S.:
> This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0
> My simplified config below:
>
> ServerRoot "/usr/apache2/2.4"
>
> Listen 215
>
> <IfDefine prefork>
> LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so
> </IfDefine>
> <IfDefine worker>
> LoadModule mpm_worker_module libexec/mod_mpm_worker.so
> </IfDefine>
> <IfDefine !prefork>
> <IfDefine !worker>
> LoadModule mpm_event_module libexec/mod_mpm_event.so
> </IfDefine>
> </IfDefine>
>
> LoadModule ssl_module libexec/mod_ssl-fips-140.so
> LoadModule authz_core_module libexec/mod_authz_core.so
> LoadModule unixd_module libexec/mod_unixd.so
>
> <IfModule unixd_module>
> User webservd
> Group webservd
>
> </IfModule>
>
>
> ServerName 127.0.0.1
>
> <Directory />
>     AllowOverride none
>     Require all denied
> </Directory>
>
> DocumentRoot "/var/apache2/2.4/htdocs"
> <Directory "/var/apache2/2.4/htdocs">
>     Options Indexes FollowSymLinks
>
>     AllowOverride None
>
>     Require all granted
> </Directory>
>
> <Files ".ht*">
>     Require all denied
> </Files>
>
> ErrorLog "/var/apache2/2.4/logs/error_log"
>
> LogLevel warn
>
> <Directory "/var/apache2/2.4/cgi-bin">
>     AllowOverride None
>     Options None
>     Require all granted
> </Directory>
>
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
>
> SSLEngine               on
> SSLProtocol TLSv1.1 +TLSv1.2
> SSLCertificateFile /etc/certs/localhost/host.crt
> SSLCertificateKeyFile /etc/certs/localhost/host.key
> SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt
> SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt
> ErrorDocument 400 "https://myserver:215";
>

Reply via email to