[TriLUG] TLSv1 from Apache + mod_ssl?
Brian Henning
Brian.Henning at datadirect.com
Thu Aug 6 12:43:27 EDT 2009
...and the rest of the story, since I accidentally clicked Send:
Hi Gang,
I've been trying to secure the business area of my web server in a way
that Opera likes. Opera issues warnings if SSLv3 is used as the
protocol, calling it "outdated" and "insecure." (Neither Chrome nor IE
balk at this...)
At any rate, I compared my site's SSL settings to a site that doesn't
make Opera whine; namely, my personal banking site. The only difference
is protocol:
Banking site: TLS v1.0 128 bit ARC4 (1024 bit RSA/SHA)
My site: SSL v3.0 128 bit ARC4 (1024 bit RSA/SHA)
So, questions:
1) Do I need to worry? and if so...
2) How do I get Apache to talk in TLSv1? Here's my SSLProtocol
directive:
SSLProtocol -all +SSLv3 +TLSv1
If I leave out +SSLv3 (just have -all +TLSv1), IE and Chrome still claim
it's secure, but Opera won't even connect:
Secure connection: fatal error (40) from server. [...] Please note that
some encryption methods are no longer supported, and that access will
not be possible until the Web site has been upgraded to use strong
encryption.
Versions:
Opera: 9.62
httpd: 2.2.3-22
mod_ssl: 2.2.3-22
openssl: 0.9.8e-7
What'm I missing, or should I just not even worry about it?
Thanks!
~Brian
----------------
Brian A. Henning
DataDirect
Support Engineer
888-332-6797
----------------
Find answers in our new knowledgebase:
http://knowledgebase.datadirect.com
Download patches and manage support cases online:
http://www.datadirect.com/support/troubleshooting/reportacase/index.ssp
--
TriLUG mailing list :
http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ : http://www.trilug.org/wiki/Frequently_Asked_Questions
More information about the TriLUG
mailing list