SSLProtocol: Illegal protocol 'TLSv1.1'

Nitish_Johar · November 17, 2015, 04:38:34 PM

Hi,
I've been facing an issue while enabling TLSv1.1 & TLSv1.2

Error: SSLProtocol: Illegal protocol 'TLSv1.1'

Earlier I was using below details:

SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA

Apache version: Apache/2.2.24 (Unix)
OpenSSL 1.0.1e-fips

Please do let me know, what can be done to enable TLSv1.1 &1.2 successfully.

Thanks,
Nitish

mario · November 17, 2015, 05:39:26 PM

You can use

Code Select


<IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=15553000"
</IfModule>
SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS

Adjust the path for the session cache

Nitish_Johar · November 18, 2015, 05:25:27 PM

Do I need to upgrade openssl version too ? As TLSv1.1 supports OpenSSL 1.0.1 and upper versions and I have OpenSSL/1.0.0e configured on my machine .

So the openssl upgrade is required ? or is there any other workaround to enable TLSv1.1 ?

Apache version: Apache/2.2.24 (Unix)

mario · November 20, 2015, 06:19:06 PM

The +TLSv1.1 does that job. Your config wasn't right. The +TLSv1 enables only TLS 1.0

SSLProtocol: Illegal protocol 'TLSv1.1'

Nitish_Johar

mario

Nitish_Johar

mario