TechQA.

Apache - disable SSLv3 with SSLProxyProtocol - not working

3.6k views Asked by At

Heading

Apache/2.2.31 (Unix)

I have following SSL configuration outside of many virtual hosts sections:

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
SSLCipherSuite "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA25$
SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3

and then I have one of the virtual host with following proxy configuration:

RewriteEngine On
SSLProxyEngine On
RewriteCond %{QUERY_STRING} !(^|&)requestOrigin=apiGateway($|&) [NC]
RewriteRule ^/portal/mobile/stores$ https://xxx.execute-api.eu-west-1.amazonaws.com/test/stores [QSA,P,L]

As you can see I have rewrite rule that proxy original request to Amazon API gateway. Amazon API gateway does not support SSLv3 that is why I disabled it in above configurations. I want TLSv1.2 to be used for proxying.

However, apache with configuration above where I disabled SSL still uses SSL for connection to amazon. See debug output below:

[debug] ssl_engine_io.c(1090): [client XXX.XXX.XXX.XXX] SNI extension for SSL Proxy request set to 'example.com'
[debug] ssl_engine_kernel.c(1834): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: before/connect initialization
[debug] ssl_engine_kernel.c(1842): OpenSSL: Loop: SSLv3 write client hello A
[debug] ssl_engine_io.c(1939): OpenSSL: read 5/5 bytes from BIO#10c87d0 [mem: 10cttb3] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 16 02 02 00 02                                   .....            |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1939): OpenSSL: read 2/2 bytes from BIO#10c87d0 [mem: 10c44b8] (BIO dump follows)
[debug] ssl_engine_io.c(1872): +-------------------------------------------------------------------------+
[debug] ssl_engine_io.c(1911): | 0000: 02 38                                            .(               |
[debug] ssl_engine_io.c(1917): +-------------------------------------------------------------------------+
[debug] ssl_engine_kernel.c(1847): OpenSSL: Read: SSLv3 read server hello A
[debug] ssl_engine_kernel.c(1866): OpenSSL: Exit: failed in SSLv3 read server hello A
[info] [client XXX.XXX.XXX.XXX] SSL Proxy connect failed

Why apache proxy still uses SSL3 for proxying? How can I disable it once and for all?

apache ssl proxy sslv3
Original Q&A
1

There are 1 answers

0
kyL0r3nz0 On

Try changing

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 -SSLv2 -SSLv3

to

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

and changing

SSLProxyProtocol +TLSv1.2 -SSLv2 -SSLv3

to

SSLProxyProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2

Related Questions in APACHE

Related Questions in SSL

Related Questions in PROXY

Related Questions in SSLV3

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions