У меня возникают проблемы при попытке отключить TLS 1.0 на Apache, как описано здесь:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol
$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 5 2015 18:10:09
$ apt-cache policy apache2
apache2:
Installed: 2.2.22-1ubuntu1.8
$ openssl version -b -v
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 27 17:53:56 UTC 2015
$ apt-cache policy openssl
openssl:
Installed: 1.0.1-4ubuntu5.27
Вот другие изменения, связанные с SSL, которые я сделал:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH
При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf
SSLProtocol +TLSv1.1 +TLSv1.2
Результат:
Syntax error on line 62 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
Я установил LogLevel для временной отладки, и вот выход журнала после того, как apache не запускается:
[Tue May 26 10:02:44 2015] [info] removed PID file /var/run/apache2.pid (pid=17793)
[Tue May 26 10:02:44 2015] [notice] caught SIGTERM, shutting down
[Tue May 26 10:02:45 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Initializing (virtual) servers for SSL
При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol ALL -SSLv2 -SSLv3
Успешно запускается с этим сообщением об ошибке:
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 524288 bytes of shared memory
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(272): for 524208 bytes (524288 including header), recommending 32 subcaches, 136 indexes each
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 16376
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3280
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13096
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(316): index_num = 136
[Tue May 26 10:03:04 2015] [info] Shared memory session cache initialised
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
[Tue May 26 10:03:04 2015] [info] Server built: Mar 5 2015 18:10:09
[Tue May 26 10:03:04 2015] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
Документация apache неверна? Apache каким-то образом использует более старую версию openssl и, следовательно, не принимает новые флаги протокола? Что еще я могу попробовать здесь?