Hide Forgot
The release of Red Hat Enterprise Linux 6.5 provided openssl-1.0.1e which enables TLSv1.2. However the ability to disable TLSv1.2 was not backported into the SSLProtocol directive for httpd/mod_ssl. Internet Explorer 10 seems to have a bug whereby it cannot handle certificates or chain certificates/CAs using SHA512 signatures as part of the protocol initiation for TLSv1.2. Even specifying an SSLCipherSuite that doesn't permit TLSv1.2 ciphers does not disable the use of TLSv1.2. There is no way to disable TLSv1.2 which is broken for certain use cases. Our CA structure is a multi-tier structure that uses SHA512 as the signature algorithm. Whenever an SHA512-certificate must be passed either as the certificate for the webserver itself or is present within the ChainFile or the CA, the combination of EL6.5 openssl + httpd + Internet Explorer 10 causes an SSL session establishment error. Apache 2.2 and 2.4 should support the use of 'SSLProtocol -TLSv1.2' (see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol) but the version shipped with Red Hat EL6.5 does not support that directive. Version-Release number of selected component (if applicable): httpd-2.2.15-29.el6_4.x86_64 mod_ssl-2.2.15-29.el6_4.x86_64 openssl-1.0.1e-16.el6_5.x86_64 Steps to Reproduce: 1. Upgrade to openssl-1.0.1e with EL6.5 2. Configure the following in Apache: SSLCipherSuite AES:-TLSv1.2 3. Restart httpd. 4. Connect with Firefox or Safari or Chrome or 'openssl s_client' and the SSL connection type will be some form of a TLSv1.2 connection regardless. Connect with IE and you receive an error about SSL handshaking. 5. Configure the following in Apache which should be supported when using openssl >= 1.0.1 per Apache's docs: SSLProtocol all -SSLv2 -TLSv1.2 Actual results: 6. Restart httpd and the following error will occur: SSLProtocol: Illegal protocol 'TLSv1.2' Expected results: 6. Restart httpd and apache no longer uses TLSv1.2.
To be clear, the version that worked properly was openssl-1.0.0-27.el6_4.2. The upgrade to 1.0.1e-16.el6_5 (and also 1.0.1e-15.el6) are the openssl packages that began the issue.
Ah, that's annoying. Sorry about that. If this is a issue for you in production can you please escalate this through Red Hat Support, and we can get you some test packages, and we can prioritize the fix appropriately. https://www.redhat.com/support/process/production/#howto
Thanks Joe, I was doing just that when you filed this comment. Red Hat support case #00988054.
I've just hit this because some of my Subversion clients aren't correctly negotiating client certificates at TLSv1.2. In particular, all recent Tortoise SVN, http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3041429 and e.g. Subversion 1.6.18 on Fedora 16 fail once OpenSSL 1.0.1 is updated on the server. I realise this is a client-side problem, but there's currently no way to configure httpd to workaround such troublesome clients....
*** Bug 1038648 has been marked as a duplicate of this bug. ***
This missing backport functionality also affects RHEL 6.4, and we are experiencing similar issues with attempting to disable TLS for our Subversion hosting. Disabling ciphers, as noted in #1 and #5, doesn't solve the issue because certain clients (and the tools which leverage their SSL stacks) don't recognize that the protocol is not allowed. One thing to note is that the Apache configuration change being requested for backport is supported by OpenSSL 1.0.1e but was not added to Apache's mod_ssl until 2.2.24 and 2.4.0.
Is there any progress on this issue?
Is this going to be released as a update for EL 6.6 or before that?
Jason, this fix is currently scheduled for inclusion in 6.6. We will get a test build for customers interested in trying out the fix soon.
As one of those customers, will this package also be usable on a 6.5 build?
Note: This parsing option is not fixed in httpd-2.2.15-31.el6 . Attempting to turn off TLSv1.1 in SSLProtocol resulted in a 'unknown protocol' error.
httpd-2.2.15-31.el6_5, openssl-1.0.1e-28.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Default settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 0, got 0) :: [ LOG ] :: Duration: 3m 1s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: Default settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'echo 'SSLProtocol all -TLSv1.2' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0) :: [ FAIL ] :: Command 'service httpd restart' (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1 (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1.1 (Expected 0, got 1) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ LOG ] :: Duration: 1s :: [ LOG ] :: Assertions: 2 good, 3 bad :: [ FAIL ] :: RESULT: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 and TLSv1.1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'echo 'SSLProtocol all -TLSv1.2 -TLSv1.1' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0) :: [ FAIL ] :: Command 'service httpd restart' (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1 (Expected 0, got 1) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 1, got 1) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 3 good, 2 bad :: [ FAIL ] :: RESULT: Disabled TLSv1.2 and TLSv1.1 ^^^ restarting httpd caused this error: Starting httpd: Syntax error on line 1 of /etc/httpd/conf.d/tls_version.conf: SSLProtocol: Illegal protocol 'TLSv1.2' httpd-2.2.15-38.el6, openssl-1.0.1e-28.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Default settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 0, got 0) :: [ LOG ] :: Duration: 3m 2s :: [ LOG ] :: Assertions: 3 good, 0 bad :: [ PASS ] :: RESULT: Default settings :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'echo 'SSLProtocol all -TLSv1.2' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0) :: [ PASS ] :: Command 'service httpd restart' (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 0, got 0) :: [ FAIL ] :: Connecting to https server with tls1.2 (Expected 1, got 0) :: [ LOG ] :: Duration: 3m 2s :: [ LOG ] :: Assertions: 4 good, 1 bad :: [ FAIL ] :: RESULT: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 and TLSv1.1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Command 'echo 'SSLProtocol all -TLSv1.2 -TLSv1.1' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0) :: [ PASS ] :: Command 'service httpd restart' (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ FAIL ] :: Connecting to https server with tls1.1 (Expected 1, got 0) :: [ FAIL ] :: Connecting to https server with tls1.2 (Expected 1, got 0) :: [ LOG ] :: Duration: 3m 2s :: [ LOG ] :: Assertions: 3 good, 2 bad :: [ FAIL ] :: RESULT: Disabled TLSv1.2 and TLSv1.1 Note: The test case can be wrong, but it passed on httpd24-httpd-2.4.6-19.el6 after fix in cloned bug 1035371
Testing on httpd-2.2.15-31.el6_5 I get "SSLProtocol: Illegal protocol" for TLSv1.0, TLSv1.1, and TLSv1.2. I didn't think any fix had been published for EL6 yet in httpd-2.2, has it? Are there test patches or RPMs to test?
httpd-2.2.15-30.el6_5 ===================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Connecting to https server with ssl3 (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1 (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1.1 (Expected 0, got 1) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ FAIL ] :: RESULT: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 and TLSv1.1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ FAIL ] :: Connecting to https server with ssl3 (Expected 0, got 1) :: [ FAIL ] :: Connecting to https server with tls1 (Expected 0, got 1) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 1, got 1) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ FAIL ] :: RESULT: Disabled TLSv1.2 and TLSv1.1 httpd-2.2.15-36.el6 =================== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Connecting to https server with ssl3 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ PASS ] :: RESULT: Disabled TLSv1.2 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Disabled TLSv1.2 and TLSv1.1 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Connecting to https server with ssl3 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1 (Expected 0, got 0) :: [ PASS ] :: Connecting to https server with tls1.1 (Expected 1, got 1) :: [ PASS ] :: Connecting to https server with tls1.2 (Expected 1, got 1) :: [ PASS ] :: RESULT: Disabled TLSv1.2 and TLSv1.1
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1386.html