Apache and OpenSSL Configuration Question

I have 3 Redhat Linux servers that I inherited.
Now I have a problem that I can not figure out.

All 3 are running Apache 2.0.4 and OpenSSL 0.9.7m. Well I wanted to
turn off the SSLv2 on all of these along with the low encryption.

I did exactly the same thing on all 3 servers to the ssl.conf file, in
the SSLProtocol I changed it to: -All +SSLv3 +TLSv1
and in the SSLCipherSuite I removed the +LOW

On 2 of the servers it worked just fine. When I check the SSLv2 is
totally unsupported, however the 3rd one it doesn't seem to be
changing a thing. I am still getting the SSLv2 supported.

I know that the httpd service is reading this file, as a quick test I
mis-spelled something in the file, saved it and restarted the httpd
service and it bombed. Fixed it and it restarted fine.

So anyone have any idea as to what might be overridding the ssl.conf
file settings? I am finding nothing.

Thanks in advance.

Re: Apache and OpenSSL Configuration Question

Hi Mike,

Sounds strange. I'm not an Apache expert, but reasonably familiar with
it. Here are a few ideas that come up.

Does it load more config files that might contain SSL configuration
directives? Maybe there are some SSL-related things in httpd.conf? I
know I used to do that in the past...

Does Apache try to load the SSL module twice? It should give a warning
about that when it starts up.

Maybe I'm talking rubbish now, but how about the certificates? Does
server #3 have a low-grade certificate? Say, 56 bits?

Kind regards,

Hans


mike wrote:
> I have 3 Redhat Linux servers that I inherited.
> Now I have a problem that I can not figure out.
>
> All 3 are running Apache 2.0.4 and OpenSSL 0.9.7m. Well I wanted to
> turn off the SSLv2 on all of these along with the low encryption.
>
> I did exactly the same thing on all 3 servers to the ssl.conf file, in
> the SSLProtocol I changed it to: -All +SSLv3 +TLSv1
> and in the SSLCipherSuite I removed the +LOW
>
> On 2 of the servers it worked just fine. When I check the SSLv2 is
> totally unsupported, however the 3rd one it doesn't seem to be
> changing a thing. I am still getting the SSLv2 supported.
>
> I know that the httpd service is reading this file, as a quick test I
> mis-spelled something in the file, saved it and restarted the httpd
> service and it bombed. Fixed it and it restarted fine.
>
> So anyone have any idea as to what might be overridding the ssl.conf
> file settings? I am finding nothing.
>
> Thanks in advance.
>

Re: Apache and OpenSSL Configuration Question

On Oct 17, 1:19 pm, Hans van Zijst wrote:
> Hi Mike,
>
> Sounds strange. I'm not an Apache expert, but reasonably familiar with
> it. Here are a few ideas that come up.
>
> Does it load more config files that might contain SSL configuration
> directives? Maybe there are some SSL-related things in httpd.conf? I
> know I used to do that in the past...
>
> Does Apache try to load the SSL module twice? It should give a warning
> about that when it starts up.
>
> Maybe I'm talking rubbish now, but how about the certificates? Does
> server #3 have a low-grade certificate? Say, 56 bits?
>
> Kind regards,
>
> Hans
>
>
>
> mike wrote:
> > I have 3 Redhat Linux servers that I inherited.
> > Now I have a problem that I can not figure out.
>
> > All 3 are running Apache 2.0.4 and OpenSSL 0.9.7m. Well I wanted to
> > turn off the SSLv2 on all of these along with the low encryption.
>
> > I did exactly the same thing on all 3 servers to the ssl.conf file, in
> > the SSLProtocol I changed it to: -All +SSLv3 +TLSv1
> > and in the SSLCipherSuite I removed the +LOW
>
> > On 2 of the servers it worked just fine. When I check the SSLv2 is
> > totally unsupported, however the 3rd one it doesn't seem to be
> > changing a thing. I am still getting the SSLv2 supported.
>
> > I know that the httpd service is reading this file, as a quick test I
> > mis-spelled something in the file, saved it and restarted the httpd
> > service and it bombed. Fixed it and it restarted fine.
>
> > So anyone have any idea as to what might be overridding the ssl.conf
> > file settings? I am finding nothing.
>
> > Thanks in advance.- Hide quoted text -
>
> - Show quoted text -

I had thought about having SSL directives in other places. I have
been looking for 2 days now, but can not find anything anywhere. I
wonder however if I enter them into the httpd.conf if it will take
care of my problem at any rate and override what ever is the
controlling file.

As far as I know it is not loading it 2X, it is not at any rate giving
an error message.

As far as the certificate goes, no it is not a low-grade cert.

Thanks,
Mike

Re: Apache and OpenSSL Configuration Question

It won't make any difference if you put your directives in separate
config files or in one central httpd.conf. In the past everything used
to be in httpd.conf, but several smaller config files usually make for a
system that's easier to manage. What I meant was that the guy(s) who
built the servers you inherited, may have added some directives on
several places. It's easy to do, I shot myself in the foot a couple of
times in the past.

Can you post your config files? Makes the analysis that much easier :)

Regards,

Hans


mike wrote:
> I had thought about having SSL directives in other places. I have
> been looking for 2 days now, but can not find anything anywhere. I
> wonder however if I enter them into the httpd.conf if it will take
> care of my problem at any rate and override what ever is the
> controlling file.
>
> As far as I know it is not loading it 2X, it is not at any rate giving
> an error message.
>
> As far as the certificate goes, no it is not a low-grade cert.
>
> Thanks,
> Mike
>

Re: Apache and OpenSSL Configuration Question

Hi,

Did you find a solution for this problem? I got a very similar
problem.

Thanks
Rasmus

Re: Apache and OpenSSL Configuration Question

On Oct 31, 7:33 am, towe...@gmail.com wrote:
> Hi,
>
> Did you find a solution for this problem? I got a very similar
> problem.
>
> Thanks
> Rasmus

Yea I added them to the httpd.conf file and it worked fine.
Still do not know what file was controlling it since, but by using the
httpd.conf file I was able to get it to work.