Estou com problemas ao tentar desativar o TLS 1.0 no apache, conforme descrito aqui: link
$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 5 2015 18:10:09
$ apt-cache policy apache2
apache2:
Installed: 2.2.22-1ubuntu1.8
$ openssl version -b -v
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 27 17:53:56 UTC 2015
$ apt-cache policy openssl
openssl:
Installed: 1.0.1-4ubuntu5.27
Estas são as outras alterações relacionadas ao SSL que fiz:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH
Ao iniciar o Apache com isto em /etc/apache2/mods-enabled/ssl.conf
SSLProtocol +TLSv1.1 +TLSv1.2
O resultado é:
Syntax error on line 62 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
Ao iniciar o Apache com isto em /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
Eu configurei o LogLevel para depurar temporariamente e aqui está a saída do log após quando o apache falha ao iniciar:
[Tue May 26 10:02:44 2015] [info] removed PID file /var/run/apache2.pid (pid=17793)
[Tue May 26 10:02:44 2015] [notice] caught SIGTERM, shutting down
[Tue May 26 10:02:45 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Initializing (virtual) servers for SSL
Ao iniciar o Apache com isto em /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol ALL -SSLv2 -SSLv3
Começa com sucesso com esta mensagem de erro:
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 524288 bytes of shared memory
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(272): for 524208 bytes (524288 including header), recommending 32 subcaches, 136 indexes each
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 16376
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3280
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13096
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(316): index_num = 136
[Tue May 26 10:03:04 2015] [info] Shared memory session cache initialised
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
[Tue May 26 10:03:04 2015] [info] Server built: Mar 5 2015 18:10:09
[Tue May 26 10:03:04 2015] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
A documentação do apache está incorreta? O apache de alguma forma está usando uma versão mais antiga do openssl e, portanto, não aceita os novos flags de protocolo? O que mais posso experimentar aqui?
Tags ssl linux ubuntu apache-http-server