LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-10-2017, 05:56 AM   #1
aneesh.tm
LQ Newbie
 
Registered: Oct 2017
Posts: 3

Rep: Reputation: Disabled
SSLProtocol: Illegal protocol '"TLSv1.1"'


Hi All,

Iam using Redhat 7.3/Apache 2.2.29/Openssl 1.0.1e-fips

I have to remediate a vulnerability(SSL/TLS Server supports TLSv1.0) in Apache. I tried to add line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1" in my httpd.conf file and restarted httpd. But it throws below error.

Error : SSLProtocol: Illegal protocol '"TLSv1.1"'

Can anyone help me in this regard ?


Regards,

Aneesh
 
Old 10-10-2017, 07:16 AM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,277

Rep: Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443
Quote:
Originally Posted by aneesh.tm View Post
Hi All,

Iam using Redhat 7.3/Apache 2.2.29/Openssl 1.0.1e-fips I have to remediate a vulnerability(SSL/TLS Server supports TLSv1.0) in Apache. I tried to add line "SSLProtocol All -SSLv2 -SSLv3 -TLSv1" in my httpd.conf file and restarted httpd. But it throws below error.

Error : SSLProtocol: Illegal protocol '"TLSv1.1"'

Can anyone help me in this regard ?
Yes, Red Hat support can help you. Since you're using RHEL 7.3, you are PAYING FOR IT, RIGHT??? Since you are, they will be able to assist you easily. If not, you will not be able to run the necessary yum commands to install the updated/patched/fixed files needed to address your error. You need to run
Code:
yum install mod_ssl
...which you will be unable to do if you're not paying for RHEL.
 
1 members found this post helpful.
Old 10-12-2017, 01:43 AM   #3
aneesh.tm
LQ Newbie
 
Registered: Oct 2017
Posts: 3

Original Poster
Rep: Reputation: Disabled
Tried to install mod_ssl using yum. But its asking to install below dependencies.
Looking at the dependencies, its like we are upgrading apache as well.
Is there a way we can install mod_ssl without upgrading apache ?

Package Arch Version Repository Size
==================================================================================================== =========================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7 redhat_base 103 k
Installing for dependencies:
apr x86_64 1.4.8-3.el7 PatchBundle-nonreboot-Q3FY17 103 k
apr-util x86_64 1.5.2-6.el7 PatchBundle-nonreboot-Q3FY17 92 k
httpd x86_64 2.4.6-40.el7 PatchBundle-reboot-Q3FY16 1.2 M
httpd-tools x86_64 2.4.6-40.el7 PatchBundle-reboot-Q3FY16 82 k
 
Old 10-12-2017, 09:58 AM   #4
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,277

Rep: Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443
Quote:
Originally Posted by aneesh.tm View Post
Tried to install mod_ssl using yum. But its asking to install below dependencies.
Looking at the dependencies, its like we are upgrading apache as well.
Is there a way we can install mod_ssl without upgrading apache ?

Package Arch Version Repository Size
==================================================================================================== =========================================================
Installing:
mod_ssl x86_64 1:2.4.6-40.el7 redhat_base 103 k
Installing for dependencies:
apr x86_64 1.4.8-3.el7 PatchBundle-nonreboot-Q3FY17 103 k
apr-util x86_64 1.5.2-6.el7 PatchBundle-nonreboot-Q3FY17 92 k
httpd x86_64 2.4.6-40.el7 PatchBundle-reboot-Q3FY16 1.2 M
httpd-tools x86_64 2.4.6-40.el7 PatchBundle-reboot-Q3FY16 82 k
Again, this is the reason you need to call Red Hat support, since you're paying for it. And things like yum and other package managers exist so that you keep a stable system. Upgrading one thing that needs OTHER upgrades keeps your system stable. While you probably can go trace down the source code and maybe (?) build/install it, what is the point???

Upgrade using the recommended tools, keep your system stable.
 
Old 10-12-2017, 09:59 AM   #5
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,629
Blog Entries: 4

Rep: Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001
When any two parties begin an encrypted communication session, the process begins with negotiation in which the two parties (securely) propose the cipher suite that they will use, then the session-keys that they will (initially) use. This negotiation process is transparent to you. The two parties should automatically settle on the "strongest" algorithms that they can find. They can also decline negotiations with a party that can't make an offer strong-enough to suit them, and this seems to be what is happening here.

My guess is that the party on one side of this connection-negotiation is proposing to use a version of the TLS cipher protocol that is too old. It should be proposing at least TLS-1.2 and this should be accepted. Maybe your version of ssh is set up so that it purposely will not accept the older version. The real question is ... why is the other party even proposing to use it? Are the versions of ssh(d) on both sides up-to-date?

If you're running a current and up-to-date Red Hat on one side, my intuition is that the problem lies with the other party.

(P.S.: "TLS" is the successor to "SSL = Secure Sockets Layer," which is no longer used, but you will still often find the term, "SSL," being used colloquially.)

Last edited by sundialsvcs; 10-12-2017 at 10:03 AM.
 
Old 10-13-2017, 12:28 AM   #6
stefan6
LQ Newbie
 
Registered: Oct 2017
Posts: 2

Rep: Reputation: Disabled
Similar problem here. Thank you for your quick responses. It really helps!
 
Old 10-13-2017, 09:31 AM   #7
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 8,629
Blog Entries: 4

Rep: Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001Reputation: 3001
Also – the only reason why I can think of for Apache to be a dependency is ... well, it's actually a good one:

"Since you are upgrading the SSL library, Apache's mod_ssl must also be updated, so that it can understand and use the new version that you are now installing."

So, no, I don't think that you can avoid the Apache dependency, and in fact you should not: "the distro authors were correct to list it." Just let the update process do what it wishes to do.
 
Old 10-23-2017, 02:54 AM   #8
aneesh.tm
LQ Newbie
 
Registered: Oct 2017
Posts: 3

Original Poster
Rep: Reputation: Disabled
I tried installing mod_ssl rpm package from redhat using yum. But it did n't help

I still get the same error

Also i noticed that the httpd that is installed on my systems are opensource not from Redhat.

Not sure how to resolve this issue..
 
Old 10-23-2017, 07:16 AM   #9
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 19,277

Rep: Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443Reputation: 4443
Quote:
Originally Posted by aneesh.tm View Post
I tried installing mod_ssl rpm package from redhat using yum. But it did n't help
I still get the same error Also i noticed that the httpd that is installed on my systems are opensource not from Redhat. Not sure how to resolve this issue..
You CALL RED HAT SUPPORT, that's how. Just because you pay for support/updates, doesn't mean that every single package on your system is only from Red Hat. You pay them for stability, testing, certification, and support. If you installed from the Red Hat repositories, that means you're paying for RHEL. If you are paying, you get support; call them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Samba: "min protocol = SMB2" causes "protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE" DaneM Linux - Networking 2 05-16-2017 06:59 AM
SSLProtocol: Illegal protocol 'TLSv1.2' Rtoogee Linux - Server 1 03-16-2016 03:01 AM
I add new protocol in ns-2 name "Multi-Level feedback Congestion Control Protocol" bhavinsorathiya Linux - Software 6 02-15-2014 11:06 AM
LXer: Mega-victory: Kim Dotcom search warrants "invalid," mansion raid "illegal" LXer Syndicated Linux News 0 07-11-2012 03:30 AM
anging "Protocol" option to "IMPS/2" in XF86Config-4 causes problems zstingx Linux - General 2 10-27-2003 10:47 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:02 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration