The Apache Haus Forum

Forum Topics => Apache 2.2 => Topic started by: Nitish_Johar on November 17, 2015, 04:38:34 PM

Title: SSLProtocol: Illegal protocol 'TLSv1.1'
Post by: Nitish_Johar on November 17, 2015, 04:38:34 PM
Hi,
I've been facing an issue while enabling TLSv1.1 & TLSv1.2

Error: SSLProtocol: Illegal protocol 'TLSv1.1'

Earlier I was using below details:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA

Apache version:  Apache/2.2.24 (Unix)
OpenSSL 1.0.1e-fips

Please do let me know, what can be done to enable TLSv1.1 &1.2 successfully.

Thanks,
Nitish
Title: Re: SSLProtocol: Illegal protocol 'TLSv1.1'
Post by: mario on November 17, 2015, 05:39:26 PM
You can use

Code: [Select]
<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000"
</IfModule>
SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

Adjust the path for the session cache
Title: Re: SSLProtocol: Illegal protocol 'TLSv1.1'
Post by: Nitish_Johar on November 18, 2015, 05:25:27 PM
Do I need to upgrade openssl version too ? As TLSv1.1 supports OpenSSL 1.0.1 and upper versions and I have OpenSSL/1.0.0e configured on my machine .

So the openssl upgrade is required ? or is there any other workaround to enable TLSv1.1 ?

Apache version:  Apache/2.2.24 (Unix)
Title: Re: SSLProtocol: Illegal protocol 'TLSv1.1'
Post by: mario on November 20, 2015, 06:19:06 PM
The +TLSv1.1 does that job. Your config wasn't right. The +TLSv1 enables only TLS 1.0