Check your Openssl ciphers to see if it supports TLS 1.2 Try: SSLProtocol -ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:!aNULL:!eNULL:!kECDH:!aDH:!RC4:!3DES:!CAMELLIA:!MD5:!AES256-SHA:!AES128-SHA256:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA:!AES128-GCM-SHA256:!AES128-GCM-SHA384:!PSK:!SRP:!KRB5:@STRENGTH
# openssl ciphers -tls1 On Wed, Jun 23, 2021 at 4:53 PM Pavel Heimlich, a.k.a. hajma < tropikha...@gmail.com> wrote: > Hi, > I use > ErrorDocument 400 "https://myserver:215"; > to achieve redirection to secure connection for anyone who would access my > server with just 'http://myserver:215'. > > This works as long as there's > SSLProtocol TLSv1.1 +TLSv1.2 > specified in the configuration. However when I change that to just > SSLProtocol TLSv1.2 > it stops working and the client gets "The connection was reset > The connection to the server was reset while the page was loading." > in their browser. > > I guess this is because Apache calls different OpenSSL functions based on > the config setting at > > https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L643 > or > > https://github.com/apache/httpd/blob/2f0f0d4e31bcf8b151ebc833ddd56c09dbff6462/modules/ssl/ssl_engine_init.c#L649 > > and I am not sure if this is something that could be dealt with within > Apache. > Would you consider this worth logging a bug? > Or would there be another way to achieve this? > > Thanks! > P. > > P.S.: > This is on Solaris 11.4, x86, Apache 2.4.47, OpenSSL 1.0 > My simplified config below: > > ServerRoot "/usr/apache2/2.4" > > Listen 215 > > <IfDefine prefork> > LoadModule mpm_prefork_module libexec/mod_mpm_prefork.so > </IfDefine> > <IfDefine worker> > LoadModule mpm_worker_module libexec/mod_mpm_worker.so > </IfDefine> > <IfDefine !prefork> > <IfDefine !worker> > LoadModule mpm_event_module libexec/mod_mpm_event.so > </IfDefine> > </IfDefine> > > LoadModule ssl_module libexec/mod_ssl-fips-140.so > LoadModule authz_core_module libexec/mod_authz_core.so > LoadModule unixd_module libexec/mod_unixd.so > > <IfModule unixd_module> > User webservd > Group webservd > > </IfModule> > > > ServerName 127.0.0.1 > > <Directory /> > AllowOverride none > Require all denied > </Directory> > > DocumentRoot "/var/apache2/2.4/htdocs" > <Directory "/var/apache2/2.4/htdocs"> > Options Indexes FollowSymLinks > > AllowOverride None > > Require all granted > </Directory> > > <Files ".ht*"> > Require all denied > </Files> > > ErrorLog "/var/apache2/2.4/logs/error_log" > > LogLevel warn > > <Directory "/var/apache2/2.4/cgi-bin"> > AllowOverride None > Options None > Require all granted > </Directory> > > <IfModule ssl_module> > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > </IfModule> > > SSLEngine on > SSLProtocol TLSv1.1 +TLSv1.2 > SSLCertificateFile /etc/certs/localhost/host.crt > SSLCertificateKeyFile /etc/certs/localhost/host.key > SSLCACertificateFile /etc/certs/localhost/host-ca/hostca.crt > SSLCertificateChainFile /etc/certs/localhost/host-ca/hostca.crt > ErrorDocument 400 "https://myserver:215"; >
