Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1034984

Summary: httpd Cannot Disable TLSv1.2
Product: Red Hat Enterprise Linux 6 Reporter: Jason McCormick <jasonmc>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Ondřej Pták <optak>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: acavalla, aogburn, chuffman, csutherl, dmasirka, erich, fweimer, hkario, iweiss, jkaluza, jorton, jqassar, jtrowbri, klepikho, leonard-rh-bugzilla, lkonno, mdshaikh, michele, mmatsuya, nteruptedservice, number.cruncher, optak, pez, redhat2, thoger
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.2.15-39.el6 Doc Type: Bug Fix
Doc Text:
Cause: mod_ssl did not allow using TLSv1.2 in its directives. Consequence: It was not possible to setup mod_ssl to disable TLSv1.2. Fix: Support for TLSv1.2 configuration options has been added. Result: mod_ssl now TLSv1.2 in its directives and it is possible to disable TLSv1.2.
 Story Points: ---
Clone Of:
: 1035371 (view as bug list) Environment:
Last Closed: 2014-10-14 08:07:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1035371, 1038651, 1056252, 1070830, 1090445    

Description Jason McCormick 2013-11-26 19:49:41 UTC 
The release of Red Hat Enterprise Linux 6.5 provided openssl-1.0.1e which enables TLSv1.2. However the ability to disable TLSv1.2 was not backported into the SSLProtocol directive for httpd/mod_ssl. 

Internet Explorer 10 seems to have a bug whereby it cannot handle certificates or chain certificates/CAs using SHA512 signatures as part of the protocol initiation for TLSv1.2. Even specifying an SSLCipherSuite that doesn't permit TLSv1.2 ciphers does not disable the use of TLSv1.2. There is no way to disable TLSv1.2 which is broken for certain use cases. 

Our CA structure is a multi-tier structure that uses SHA512 as the signature algorithm. Whenever an SHA512-certificate must be passed either as the certificate for the webserver itself or is present within the ChainFile or the CA, the combination of EL6.5 openssl + httpd + Internet Explorer 10 causes an SSL session establishment error.

Apache 2.2 and 2.4 should support the use of 'SSLProtocol -TLSv1.2' (see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol) but the version shipped with Red Hat EL6.5 does not support that directive.
 
Version-Release number of selected component (if applicable):
httpd-2.2.15-29.el6_4.x86_64
mod_ssl-2.2.15-29.el6_4.x86_64
openssl-1.0.1e-16.el6_5.x86_64

Steps to Reproduce:

1. Upgrade to openssl-1.0.1e with EL6.5

2. Configure the following in Apache:

SSLCipherSuite AES:-TLSv1.2

3. Restart httpd.

4. Connect with Firefox or Safari or Chrome or 'openssl s_client' and the SSL connection type will be some form of a TLSv1.2 connection regardless. Connect with IE and you receive an error about SSL handshaking.

5. Configure the following in Apache which should be supported when using openssl >= 1.0.1 per Apache's docs:

SSLProtocol all -SSLv2 -TLSv1.2

Actual results:

6. Restart httpd and the following error will occur:

SSLProtocol: Illegal protocol 'TLSv1.2'

Expected results:

6. Restart httpd and apache no longer uses TLSv1.2.
Comment 2 Jason McCormick 2013-11-26 20:04:34 UTC 
To be clear, the version that worked properly was openssl-1.0.0-27.el6_4.2. The upgrade to 1.0.1e-16.el6_5 (and also 1.0.1e-15.el6) are the openssl packages that began the issue.
Comment 3 Joe Orton 2013-11-26 20:18:32 UTC 
Ah, that's annoying.  Sorry about that.

If this is a issue for you in production can you please escalate this through Red Hat Support, and we can get you some test packages, and we can prioritize the fix appropriately.

https://www.redhat.com/support/process/production/#howto
Comment 4 Jason McCormick 2013-11-26 20:22:47 UTC 
Thanks Joe, I was doing just that when you filed this comment. Red Hat support case #00988054.
Comment 5 Simon 2013-12-17 17:02:19 UTC 
I've just hit this because some of my Subversion clients aren't correctly negotiating client certificates at TLSv1.2. In particular, all recent Tortoise SVN, http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=3041429 and e.g. Subversion 1.6.18 on Fedora 16 fail once OpenSSL 1.0.1 is updated on the server.

I realise this is a client-side problem, but there's currently no way to configure httpd to workaround such troublesome clients....
Comment 17 Joe Orton 2014-01-24 15:52:48 UTC 
*** Bug 1038648 has been marked as a duplicate of this bug. ***
Comment 19 JQ 2014-02-13 20:25:13 UTC 
This missing backport functionality also affects RHEL 6.4, and we are experiencing similar issues with attempting to disable TLS for our Subversion hosting.  Disabling ciphers, as noted in #1 and #5, doesn't solve the issue because certain clients (and the tools which leverage their SSL stacks) don't recognize that the protocol is not allowed.

One thing to note is that the Apache configuration change being requested for backport is supported by OpenSSL 1.0.1e but was not added to Apache's mod_ssl until 2.2.24 and 2.4.0.
Comment 21 Egon Kastelijn 2014-03-06 15:37:21 UTC 
Is there any progress on this issue?
Comment 25 Jason McCormick 2014-05-15 13:33:17 UTC 
Is this going to be released as a update for EL 6.6 or before that?
Comment 26 Joe Orton 2014-05-15 13:41:09 UTC 
Jason, this fix is currently scheduled for inclusion in 6.6.  We will get a test build for customers interested in trying out the fix soon.
Comment 27 JQ 2014-05-15 19:01:44 UTC 
As one of those customers, will this package also be usable on a 6.5 build?
Comment 32 JQ 2014-08-01 20:21:44 UTC 
Note: This parsing option is not fixed in httpd-2.2.15-31.el6 .  Attempting to turn off TLSv1.1 in SSLProtocol resulted in a 'unknown protocol' error.
Comment 33 Ondřej Pták 2014-08-28 12:00:38 UTC 
httpd-2.2.15-31.el6_5, openssl-1.0.1e-28.el6

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Default settings
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3m 1s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Default settings

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo 'SSLProtocol all -TLSv1.2' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0)
:: [   FAIL   ] :: Command 'service httpd restart' (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1 (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1.1 (Expected 0, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   LOG    ] :: Duration: 1s
:: [   LOG    ] :: Assertions: 2 good, 3 bad
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2 and TLSv1.1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo 'SSLProtocol all -TLSv1.2 -TLSv1.1' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0)
:: [   FAIL   ] :: Command 'service httpd restart' (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1 (Expected 0, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 1, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 3 good, 2 bad
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2 and TLSv1.1

^^^ restarting httpd caused this error:
Starting httpd: Syntax error on line 1 of /etc/httpd/conf.d/tls_version.conf:
SSLProtocol: Illegal protocol 'TLSv1.2'



httpd-2.2.15-38.el6, openssl-1.0.1e-28.el6
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Default settings
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3m 2s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: Default settings

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo 'SSLProtocol all -TLSv1.2' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service httpd restart' (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 0, got 0)
:: [   FAIL   ] :: Connecting to https server with tls1.2 (Expected 1, got 0)
:: [   LOG    ] :: Duration: 3m 2s
:: [   LOG    ] :: Assertions: 4 good, 1 bad
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2 and TLSv1.1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Command 'echo 'SSLProtocol all -TLSv1.2 -TLSv1.1' > /etc/httpd/conf.d/tls_version.conf' (Expected 0, got 0)
:: [   PASS   ] :: Command 'service httpd restart' (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   FAIL   ] :: Connecting to https server with tls1.1 (Expected 1, got 0)
:: [   FAIL   ] :: Connecting to https server with tls1.2 (Expected 1, got 0)
:: [   LOG    ] :: Duration: 3m 2s
:: [   LOG    ] :: Assertions: 3 good, 2 bad
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2 and TLSv1.1

Note:
The test case can be wrong, but it passed on httpd24-httpd-2.4.6-19.el6 after fix in cloned bug 1035371
Comment 36 Jason McCormick 2014-08-28 14:18:49 UTC 
Testing on httpd-2.2.15-31.el6_5 I get "SSLProtocol: Illegal protocol" for TLSv1.0, TLSv1.1, and TLSv1.2. I didn't think any fix had been published for EL6 yet in httpd-2.2, has it? Are there test patches or RPMs to test?
Comment 38 Ondřej Pták 2014-09-09 14:06:17 UTC 
httpd-2.2.15-30.el6_5
=====================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Connecting to https server with ssl3 (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1 (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1.1 (Expected 0, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2 and TLSv1.1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   FAIL   ] :: Connecting to https server with ssl3 (Expected 0, got 1)
:: [   FAIL   ] :: Connecting to https server with tls1 (Expected 0, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 1, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   FAIL   ] :: RESULT: Disabled TLSv1.2 and TLSv1.1


httpd-2.2.15-36.el6
===================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Connecting to https server with ssl3 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   PASS   ] :: RESULT: Disabled TLSv1.2

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Disabled TLSv1.2 and TLSv1.1
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Connecting to https server with ssl3 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1 (Expected 0, got 0)
:: [   PASS   ] :: Connecting to https server with tls1.1 (Expected 1, got 1)
:: [   PASS   ] :: Connecting to https server with tls1.2 (Expected 1, got 1)
:: [   PASS   ] :: RESULT: Disabled TLSv1.2 and TLSv1.1
Comment 41 errata-xmlrpc 2014-10-14 08:07:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1386.html