Join Log in
Score:0
actomobile avatar Server

Apache is not using SSLProtocol & SSLCipherSuite directive configuration

ne flag
actomobile

I am trying to set up HTTPS in my web server. I got error Error code: SSL_ERROR_NO_CYPHER_OVERLAP in firefox and ERR_SSL_VERSION_OR_CIPHER_MISMATCH in chrome. I looked it up and i found that my SSL protocols or ciphers are unsupported. Test in ssllab (https://www.ssllabs.com/ssltest/) resulted inNo secure protocol supported. GeekFlare's TLS test (https://gf.dev/tls-test) says that none of TLS protocols are enabled. I also tested using nmap --script ssl-enum-ciphers -p 443 mydomain.com and getting this result

Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-09 11:23 WIB
Nmap scan report for mydomain.in-addr.arpa (mydomain)
Host is up (0.0079s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       Forward Secrecy not supported by any cipher
|   TLSv1.1: 
|     ciphers: 
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       Forward Secrecy not supported by any cipher
|   TLSv1.2: 
|     ciphers: 
|       TLS_DH_anon_WITH_AES_256_CBC_SHA - F
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       Forward Secrecy not supported by any cipher
|_  least strength: F

Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds

Basically none of the protocols and ciphers I've put in ssl configurations used. I get the same result even after changing protocols and tried specific cipher.

I am using Centos 8, Apache 2.4.37, & Openssl 1.1.1g

This is my latest ssl protocol and cipher setting :

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

I've set them in all of ssl config I know that contain SSLProtocol and SSLCipherSuite in my server :

/etc/httpd/conf.d/ssl.conf

/etc/httpd/conf.d/mydomain.conf

/etc/letsencrypt/options-ssl-apache.conf

Edit

openssl ciphers -s -v shows


TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-CCM  TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESCCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(256) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-CCM              TLSv1.2 Kx=RSA      Au=RSA  Enc=AESCCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES256-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-CCM      TLSv1.2 Kx=DH       Au=RSA  Enc=AESCCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

openssl s_client -connect server_public_IP:443 returns

CONNECTED(00000003)
140639468660544:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 301 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I've tried other TLS protocol and cipher many times and every single change I've made did nothing.

Is there something I missed?

Perhaps there is other config file that overrides the configuration?

Any help is appreciated, thanks

380
0 + 0
ssl
br flag
garethTheRed
Do you have an `ssl_conf` section in the system wide openssl config file (`/etc/pki/tls/openssl.cnf` on CentOS I believe). If so, that may be limiting your choice of ciphers. Also, does `openssl -s -v` list all/some/any of your chosen cipher suites?
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed this is ssl_conf inside openssl.cnf ```ssl_conf = ssl_module```. what should I change to fix it?. ```openssl ciphers -s -v``` indeed has my chosen cipher suites
0
Reply
br flag
garethTheRed
Temporarily comment it out and see if that helps. Also, `openssl ciphers -s -v` needs to list ciphers that are acceptable to your server __and__ offered by the client - not just the former.
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed Commenting didn't help. Same results. These ciphers are from Mozilla's ssl configuration generator, I assume it should accept them. Also there is ```.include /etc/crypto-policies/back-ends/opensslcnf.config``` line in ```openssl.cnf```. that file also has CipherSuite section. Maybe that also overrides configuration?
0
Reply
actomobile avatar
ne flag
actomobile
Nope, changing CipherSuites in ```/etc/crypto-policies/back-ends/opensslcnf.config``` didn't work
0
Reply
br flag
garethTheRed
You could start using Wireshark or tcpdump to monitor the server and see what ciphers are offered during the handshake. Another option is to use different clients (e.g. `openssl s_client`) to see if that connects, and even try a basic server with `openssl s_server` to see if that permits connections. These tools should help you narrow down where the problem lies.
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed `openssl s_server` returns various error about some certificate file not exists. After generating said files, missing files error not came up, instead i got `140638281008960:error:0909006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:745:Expecting: ANY PRIVATE KEY`. but I don't know what file should have the PRIVATE KEY line
0
Reply
br flag
garethTheRed
If you look at the man page for s_server, you'll see it needs a private key. This can be either embedded in the certificate (passed as `-cert`) or a different file passed as `-key`. The private key will have been created when you generated the certificate.
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed adding `-cert` and `-key` works. The command returns `Using default temp DH parameters ACCEPT`. I assume the reason nmap only show `TLS_DH_anon_WITH_AES_256_CBC_SHA - F` cipher is because openssl using DH parameters? If so, how can I change that?
0
Reply
br flag
garethTheRed
If you run it again with the `-www`option (lower-case) then point a browser at it, it'll list the ciphers it's capable of and the ciphers common to it and the browser. That may help you. Also, what is your public key algorithm? The list in your question only has RSA and ECDSA as acceptable key algorithms - I assume you are using one of those?
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed I'm using RSA as the key algorithm (I think). I'm thinking maybe the problem lies on the outside network? Using localhost IP when running `nmap` or `s_client` within the server works fine and the ciphers are listed. But when I use the server's public IP the results are the same as the errors above.
0
Reply
actomobile avatar
ne flag
actomobile
If I stop httpd service, I have different error when I tried to access the web using http and https. http return "Connection was reset" while https still returns the same "NO_CYPHER_OVERLAP". aren't they supposed to have the same error?
0
Reply
br flag
garethTheRed
Then you have something else running which is responding. Run `netstat -tlnp` or `ss -tlnp` (both as root) to see what's listening on those ports.
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed That seems to be the case. But only httpd is listening the port. When I stop it, open port checker shows the port is still open, despite nothing is listening the port. Maybe the problem is indeed outside my server.
0
Reply
actomobile avatar
ne flag
actomobile
@garethTheRed I found the problem! Turns out it was because the port is simply not forwarded and something else is indeed listening to it. I've never considered that since it was open in the open port checker, so I thought it already been forwarded. Thanks for your help!
0
Reply
Score:1
actomobile avatar Server
ne flag
actomobile

Turns out the problem isn't in the configuration. The port I'm using is simply not forwarded and something else listening to it, thus making open port checker showing the port as open. Everything works fine after forwarding the port

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.