Score:0

TLS 1.0 expiry [ERR_SSL_VERSION_OR_CIPHER_MISMATCH] on Apache 2.2.8

es flag
W.I

I have some legacy web appliations running over Apache 2.2.8 and openssl 0.9.7a. I have start receiving ERR_SSL_VERSION_OR_CIPHER_MISMATCH on latest browsers. Multiple virtual hosts configured on the Apache and I do not want to upgrade the Apache server due to legacy code.

Is there any solution to front my Apache webserver with proxy to support TLS 1.2 to avoid this error?

Score:0
id flag

Yes, you can certainly front your server with another that is more capable. This is common-practice in enterprise environments, particularly when you have deployments on lagacy platforms.

The terminology you're looking for is called 'reverse-proxying', and its not something you get without repurcussions.

You'll need to know the following:

  • Knowledge about HTTP, particularly about request headers such as Host and X-Forwarded-For etc.
  • Understanding how the traffic flow will change (the originating server would start seeing traffic from the reverse-proxy)
  • How to configure your originating server/application to work currectly behind a reverse-proxy. This would include a) access logging; b) correct forumulation of links, if the application were to create self-referring links to itself; c) any IP-related access-control decisions made by the application.

In theory, setting up a reverse-proxy is not difficult... but it is often done poorly when you don't tend to your plumbing, and you can end up with operational issues such as redirection loops as well as security / auditability issues.

You likely have this on a single-server already (otherwise you'd likely already have a reverse-proxy); so serious consideration should be given to just replatforming the appplication onto a supported platform; particularly if you're new to reverse-proxying.

Reverse-proxying does have other benefits though:

  • The ability to filter traffic before it gets to your originating server;
  • The ability to have static assets served by a capable web-server; reducing load on your originating server;
  • The ability to cache traffic; reducing load on your originating server;
  • The ability to inject other intermediaries, such as Web Application Firewalls (WAF), Content Delivery Networks (CDN)s, authentication (eg. SSO, MFA) etc.

Good luck, and good testing!

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.