Article ID: 125662, created on May 29, 2015, last review on Jun 12, 2015

  • Applies to:
  • H-Sphere 3.6.3

Symptoms

It is not possible to disable TLSv1 for Apache. If you enter the following in the Apache config:

     SSLProtocol +ALL -SSLv2 -SSLv3 -TLSv1  

This results with the following error and Apache wont start:

 Apache/2.2.29 (Unix) mod_ssl/2.2.29 OpenSSL/1.0.0-fips mod_fastcgi/2.4.6  
 [error] No SSL protocols available [hint: SSLProtocol]   

The same picture if try it in reverse:
SSLProtocol -ALL +TLSv1.1 +TLSv1.2

This results with the following error:

    TLSv1.1 not found

Cause

H-sphere Apache does not support protocols higher than TLSv1. Software issue HSPH-137.

Resolution

Please find the rebuilt packages in attachment:

RHES6_x64 - hsphere-apache2-h3.1-2.2.29-2.rpm
RHES6_x86 - hsphere-apache2-h3.1-2.2.29-2.rpm

Use with caution. Use if you have enough experience with Linux Make a backup of the server before installing them; be prepared for rolling back to previous version in case of problems.

    # md5sum ./RHES6/hsphere-apache2-h3.1-2.2.29-2.rpm ./RHES6_64/hsphere-apache2-h3.1-2.2.29-2.rpm
    65169e009c87c12b44762105c2689b3d  ./RHES6/hsphere-apache2-h3.1-2.2.29-2.rpm
    1626d5b7f9493c64b73b6199c6a50274  ./RHES6_64/hsphere-apache2-h3.1-2.2.29-2.rpm

Additional info

Installed Example on centos6 x86:

    [root@cp cipherscan]# rpm -qa | grep apache2-h
    hsphere-apache2-h3.1-2.2.29-2.i386

    # cat /etc/issue
    CentOS release 6.6 (Final)

1. with TLS1.0 enabled:

    [root@cp ]# grep SSLProto /hsphere/local/config/httpd2/lservers/web_192.168.111.150.conf
            SSLProtocol +ALL -SSLv2 -SSLv3


    [root@localhost cipherscan]# ./cipherscan 192.168.111.150
    ................................
    Target: 192.168.111.150:443

    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits         None
    5     DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits         None
    6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    8     AES256-GCM-SHA384            TLSv1.2                None                None
    9     AES256-SHA256                TLSv1.2                None                None
    10    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    11    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
    12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    13    ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    14    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits         None
    16    DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits         None
    17    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    18    DHE-RSA-SEED-SHA             TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    19    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    20    AES128-GCM-SHA256            TLSv1.2                None                None
    21    AES128-SHA256                TLSv1.2                None                None
    22    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    23    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  None                None
    24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  None                None
    25    IDEA-CBC-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None
    26    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    27    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2  None                None
    28    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2  None                None
    29    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    30    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits         None
    31    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None

2. with TLS1.0 disabled:

    [root@cp ]# grep SSLProto /hsphere/local/config/httpd2/lservers/web_192.168.111.150.conf
            SSLProtocol -All +TLSv1.1 +TLSv1.2
    [root@localhost ]# ./cipherscan 192.168.111.150
    ................................
    Target: 192.168.111.150:443

    prio  ciphersuite                  protocols        pfs                 curves
    1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2          ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES256-SHA384      TLSv1.2          ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-SHA         TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2          DH,1024bits         None
    5     DHE-RSA-AES256-SHA256        TLSv1.2          DH,1024bits         None
    6     DHE-RSA-AES256-SHA           TLSv1.1,TLSv1.2  DH,1024bits         None
    7     DHE-RSA-CAMELLIA256-SHA      TLSv1.1,TLSv1.2  DH,1024bits         None
    8     AES256-GCM-SHA384            TLSv1.2          None                None
    9     AES256-SHA256                TLSv1.2          None                None
    10    AES256-SHA                   TLSv1.1,TLSv1.2  None                None
    11    CAMELLIA256-SHA              TLSv1.1,TLSv1.2  None                None
    12    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2          ECDH,P-256,256bits  prime256v1
    13    ECDHE-RSA-AES128-SHA256      TLSv1.2          ECDH,P-256,256bits  prime256v1
    14    ECDHE-RSA-AES128-SHA         TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    15    DHE-RSA-AES128-GCM-SHA256    TLSv1.2          DH,1024bits         None
    16    DHE-RSA-AES128-SHA256        TLSv1.2          DH,1024bits         None
    17    DHE-RSA-AES128-SHA           TLSv1.1,TLSv1.2  DH,1024bits         None
    18    DHE-RSA-SEED-SHA             TLSv1.1,TLSv1.2  DH,1024bits         None
    19    DHE-RSA-CAMELLIA128-SHA      TLSv1.1,TLSv1.2  DH,1024bits         None
    20    AES128-GCM-SHA256            TLSv1.2          None                None
    21    AES128-SHA256                TLSv1.2          None                None
    22    AES128-SHA                   TLSv1.1,TLSv1.2  None                None
    23    SEED-SHA                     TLSv1.1,TLSv1.2  None                None
    24    CAMELLIA128-SHA              TLSv1.1,TLSv1.2  None                None
    25    IDEA-CBC-SHA                 TLSv1.1,TLSv1.2  None                None
    26    ECDHE-RSA-RC4-SHA            TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    27    RC4-SHA                      TLSv1.1,TLSv1.2  None                None
    28    RC4-MD5                      TLSv1.1,TLSv1.2  None                None
    29    ECDHE-RSA-DES-CBC3-SHA       TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    30    EDH-RSA-DES-CBC3-SHA         TLSv1.1,TLSv1.2  DH,1024bits         None
    31    DES-CBC3-SHA                 TLSv1.1,TLSv1.2  None                None

    Certificate: UNTRUSTED, 1024 bit, sha1WithRSAEncryption signature
    TLS ticket lifetime hint: 300
    OCSP stapling: not supported
    Cipher ordering: client

6b908665c0d1eca5bdd0141a32fd712a 6311ae17c1ee52b36e68aaf4ad066387 f213b9fa8759d57bee5d547445806fe7 2e39a5e5b1423cc126cf735bac076008

Email subscription for changes to this article
Save as PDF