Feb 212007

Sponsored Link

If you want to install apache2 with SSL support check here once you have everything ready you need to configure your SSL for good security.

SSL is the most known and the most popular, it is not the only protocol that has been used for the purpose of securing web transactions. It is important to know that since invention of SSL v1.0 (which has never been released, by the way) there have been at least five protocols that have played a more-or-less important role in securing access to World Wide Web, as we see below:

SSL v2.0

Released by Netscape Communications in 1994. The main goal of this protocol was to provide security for transactions over the World Wide Web. Unfortunately, very quickly a number of security weaknesses were found in this initial version of the SSL protocol, thus making it less reliable for commercial use:

weak MAC construction

possibility of forcing parties to use weaker encryption

no protection for handshakes

possibility of an attacker performing truncation attacks

SSL v3.0

Released in 1996 by Netscape Communications. SSL v3.0 solved most of the SSL v2.0 problems, and incorporated many of the features of PCT. Pretty quickly become the most popular protocol for securing communication over WWW.

TLS v1.0 (also known as SSL v3.1)

Published by IETF in 1999 (RFC 2246). This protocol is based on SSL v3.0 and PCT and harmonizes both Netscape's and Microsoft's approaches. It is important to note that although TLS is based on SSL, it is not a 100% backward compatible with its predecessor. IETF did some security improvements, such as using HMAC instead of MAC, using a different calculation of the master secret and key material, adding additional alert codes, no support for Fortezza cipher suites, and so on. The end result of these improvements is that these protocols don't fully interoperate. Fortunately enough, TLS has also got a mode to fall back to SSL v3.0.

Configuring SSLv3 and TLSv1 in Apache Hosts

If you want to enable SSL Version 3 and TLS v1.0 for more security you need to add the following lines under SSL section in your apache hosts configuration file

SSLProtocol -all +SSLv3 +TLSv1

Once you add these line you need to restart your apache webserver with the following command

#/etc/init.d/apache2 restart

Testing your SSL Version

If you want to test your ssl version details of perticular host use the following command

#openssl s_client -connect localhost:443

You need to replace localhost to your website hostname

Output looks like below

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: 62EA68A5750511917CC42A1B134A8F218C27C9C0241C35C53977A2A8BBB9986A
Master-Key: 303B60D625B020280F5F346AB00F8A61A7C4BEA707DFA0ED8D2F52371F8C4F087FB6EFFC02CE3B48F912D2C8929DB5BE
Key-Arg : None
Start Time: 1101164382
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)

Sponsored Link

 Posted by at 5:14 pm

  One Response to “How to Enable SSL version 3 and TLS (Transport Layer Security) version 1 in Apache hosts”

  1. Hi

    My webbrowsers can’t connect to my https server because of the security problem with SSL v3.0.

    I try to add SSL 3.1 (with TLS)

    I changed the two lines in ssl-global.conf and restarted apache but the result is still the same :

    Moodle:/etc/apache2 # openssl s_client -connect localhost:443
    socket: Connection refused

    If you have some ideas…

    Thank you in advance

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>