Hello, I have installed *apache 2.4.46* from the source code. I have also installed *Openssl 1.1.1c* from the source code in "*/opt/openssl*"
I use the following configuration while installing apache, ======================== CFLAGS='-DSSL_EXPERIMENTAL_ENGINE -DSSL_ENGINE -DOPENSSL_LOAD_CONF' LDFLAGS=-Wl,-rpath=/opt/openssl/lib ./configure --prefix=/etc/apache2 --enable-ssl --with-ssl=/opt/openssl/ --with-pcre=/usr/local/pcre --enable-so ====================== My *httpd-ssl.conf *with the following configuration works fine with TLSv1.3, ====================== SSLCipherSuite AES128-SHA256 SSLHonorCipherOrder on SSLProtocol all -SSLv3 ======================== However, If I try to use TLSv1.2, I get the following error, ============================== xxx@xxx:~$ curl -k https://10.29.2.98 -verbose --tlsv1.2 --tls-max 1.2 * Trying 10.29.2.98:443... * Connected to 10.29.2.98 (10.29.2.98) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS alert, bad record mac (532): * error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac * Closing connection 0 curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac ================================= I also change *httpd-ssl.conf *like the following, ================= SSLCipherSuite AES128-SHA256 SSLHonorCipherOrder on #SSLProtocol all -SSLv3 SSLProtocol -all +TLSv1.2 ================= but still same error, =================== $curl -k https://10.29.2.98 -verbose * Trying 10.29.2.98:443... * Connected to 10.29.2.98 (10.29.2.98) port 443 (#0) * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS alert, bad record mac (532): * error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac * Closing connection 0 curl: (35) error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac ================== Any help, where did I make mistake? Thanks, Shariful Alam
