Deutsch | English

[Ach] Apache patch to urge client for protocol upgrade

Sebastian sebix at sebix.at
Sat Nov 1 22:43:29 CET 2014


It has been observed that with some clients [0] stopped working when
SSLv3 has been deactivated on the server side, though it should be
capable of TLS. [1][2] Maybe the real problem is, that mod_ssl compiled
against OpenSSL 0.9.8 and not allowing TLS 1.0 connections with an SSLv2
compatible hello (See the linked discussion).

However, it appears that clients won't connect with the highest protocol
they support, but with SSLv3 at maximum and only do TLS when a parameter
is given to 'force' it.

There's now a patch for Apache [3] that says the client, it should
connect with TLS if the client tried it with SSLv3. But without enabling
SSL (just accepting the handshake). The config would then look like:

SSLProtocol ANY -SSLv3
# or
ALL +SSLv2Hello

The discussion is still ongoing (also if it creates new threats). If
everything is fine, it seems this will be included in the next version
of Apache.

Regards,

[0]: some versions of curl (and thus git and others) on some of the
(older) systems (such as RHEL5)
[1]:
https://serverfault.com/questions/637880/disabling-sslv3-but-still-supporting-sslv2hello-in-apache/
[2]:
https://serverfault.com/questions/640344/why-did-git-stop-working-after-server-disabled-sslv3/641280
[3]: http://www.mail-archive.com/dev%40httpd.apache.org/msg60833.html

--
gpg --keyserver keys.gnupg.net --recv-key DC9B463B




More information about the Ach mailing list
Kontakt
Email: reports@cert.at
Tel.: +43 1 5056416 78
mehr ...
Warnungen
mehr ...
Blog
mehr ...
Jahresbericht 2017
Ein Resumee zur digitalen Sicherheitslage in Österreich

(HTML, PDF).
Letzte Änderung: 2018/5/28 - 15:00:00
Haftungsausschluss / Datenschutzerklärung