[TriLUG] TLSv1 from Apache + mod_ssl?

Brian Henning Brian.Henning at datadirect.com
Thu Aug 6 12:43:27 EDT 2009


...and the rest of the story, since I accidentally clicked Send:

Hi Gang,

I've been trying to secure the business area of my web server in a way
that Opera likes.  Opera issues warnings if SSLv3 is used as the
protocol, calling it "outdated" and "insecure."  (Neither Chrome nor IE
balk at this...)

At any rate, I compared my site's SSL settings to a site that doesn't
make Opera whine; namely, my personal banking site.  The only difference
is protocol:

Banking site: TLS v1.0 128 bit ARC4 (1024 bit RSA/SHA)

My site:      SSL v3.0 128 bit ARC4 (1024 bit RSA/SHA)

So, questions:
1) Do I need to worry?  and if so...
2) How do I get Apache to talk in TLSv1?  Here's my SSLProtocol
directive:

SSLProtocol -all +SSLv3 +TLSv1

If I leave out +SSLv3 (just have -all +TLSv1), IE and Chrome still claim
it's secure, but Opera won't even connect:

Secure connection: fatal error (40) from server. [...] Please note that
some encryption methods are no longer supported, and that access will
not be possible until the Web site has been upgraded to use strong
encryption.


Versions:
Opera: 9.62
httpd: 2.2.3-22
mod_ssl: 2.2.3-22
openssl: 0.9.8e-7


What'm I missing, or should I just not even worry about it?

Thanks!
~Brian



----------------
Brian A. Henning
   DataDirect
Support Engineer
  888-332-6797
----------------
Find answers in our new knowledgebase:
http://knowledgebase.datadirect.com

Download patches and manage support cases online:
http://www.datadirect.com/support/troubleshooting/reportacase/index.ssp


--
TriLUG mailing list        :
http://www.trilug.org/mailman/listinfo/trilug
TriLUG FAQ  : http://www.trilug.org/wiki/Frequently_Asked_Questions



More information about the TriLUG mailing list