У меня возникают проблемы при попытке отключить TLS 1.0 на Apache, как описано здесь:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol

$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built:   Mar  5 2015 18:10:09

$ apt-cache policy apache2
apache2:
  Installed: 2.2.22-1ubuntu1.8

$ openssl version -b -v
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 27 17:53:56 UTC 2015

$ apt-cache policy openssl
openssl:
  Installed: 1.0.1-4ubuntu5.27

Вот другие изменения, связанные с SSL, которые я сделал:

SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH

При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf

SSLProtocol +TLSv1.1 +TLSv1.2

Результат:

Syntax error on line 62 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.
   ...fail!

При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf:

SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1

Я установил LogLevel для временной отладки, и вот выход журнала после того, как apache не запускается:

[Tue May 26 10:02:44 2015] [info] removed PID file /var/run/apache2.pid (pid=17793)
[Tue May 26 10:02:44 2015] [notice] caught SIGTERM, shutting down
[Tue May 26 10:02:45 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Initializing (virtual) servers for SSL

При запуске Apache с этим в /etc/apache2/mods-enabled/ssl.conf:

SSLProtocol ALL -SSLv2 -SSLv3

Успешно запускается с этим сообщением об ошибке:

[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 524288 bytes of shared memory
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(272): for 524208 bytes (524288 including header), recommending 32 subcaches, 136 indexes each
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 16376
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3280
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13096
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(316): index_num = 136
[Tue May 26 10:03:04 2015] [info] Shared memory session cache initialised
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
[Tue May 26 10:03:04 2015] [info] Server built: Mar  5 2015 18:10:09
[Tue May 26 10:03:04 2015] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)

Документация apache неверна? Apache каким-то образом использует более старую версию openssl и, следовательно, не принимает новые флаги протокола? Что еще я могу попробовать здесь?

|источник

0