TLS 1.0 Backing Down to SSL 3.0

TLS 1.0 Backing Down to SSL 3.0

am 21.06.2007 00:42:22 von rich.fought

Hello,

I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS
1.0 only. I have set the SSLCipherSuite accordingly, however when I
connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get
through because of the TLS ability to back down to SSL 3.0. Is there a
way to disable this behavior in the configuration?

Thanks,
Rich
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: TLS 1.0 Backing Down to SSL 3.0

am 21.06.2007 09:53:21 von Eckard Wille

Fought, Richard schrieb:
> I'm trying to configure my Apache 2.0.59 server w/ mod_ssl to use TLS
> 1.0 only. I have set the SSLCipherSuite accordingly, however when I
> connect with IE6 with SSLv3 enabled and TLSv1 disabled, I still get
> through because of the TLS ability to back down to SSL 3.0. Is there a
> way to disable this behavior in the configuration?

Hi Richard,

if no config rules work maybe the fastest way to achive your goal are
redirects depending on the current client protocol spoken. For
example, redirecting every browser not communicating via TLS to an
extra error page:

SSLOptions +StdEnvVars
RewriteEngine on
RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1
RewriteCond %{REQUEST_URI} !^/error/.*$
RewriteRule .* /error/no_tls_encryption.html [R,L]

Did not test this myself, see further details on
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and
http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rew ritecond

Greetings from Germany,
Eckard
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: TLS 1.0 Backing Down to SSL 3.0

am 21.06.2007 17:11:16 von rich.fought

>=20
> Hi Richard,
>=20
> if no config rules work maybe the fastest way to achive your goal are
> redirects depending on the current client protocol spoken. For
> example, redirecting every browser not communicating via TLS to an
> extra error page:
>=20
> SSLOptions +StdEnvVars
> RewriteEngine on
> RewriteCond %{SSL:SSL_PROTOCOL} !TLSv1
> RewriteCond %{REQUEST_URI} !^/error/.*$
> RewriteRule .* /error/no_tls_encryption.html [R,L]
>=20
> Did not test this myself, see further details on
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 and
> http://httpd.apache.org/docs/2.2/de/mod/mod_rewrite.html#rew ritecond
>=20
> Greetings from Germany,
> Eckard
> ____________________________________________________________ __________

Eckard,

Thanks for the excellent suggestion but I found the solution. I was
focusing on SSLCipherSuite so much that I completely missed the
SSLProtocol directive. It is not included in the default config and
thus apparently defaults to all. Setting this to TLSv1 only yields the
expected results - clients are not allowed to connect.

Your solution does present a more elegant result in that this page can
be used to inform the user that they need to enable TLSv1 in their
browser, or use one that supports TLS.

Regards,
Rich
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org