Submitted by watermark on Thu, 10/16/2014 - 12:52 Pro Licensee
Some recent update started putting "SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2" in our virtualserver configs. "configtest" fails with the message "SSLProtocol: Illegal protocol 'TLSv1.1'". I'm assuming that that option isn't supported in the default versions of apache/openssl in Ubuntu 12.04.
Ubuntu 12.04 has apache 2.2.22 and openssl 1.0.1
Status:
Closed (fixed)
Comments
Submitted by andreychek on Thu, 10/16/2014 - 13:00 Comment #1
Howdy -- hmm, can you describe how to reproduce that issue?
When is that occurring -- when new domains are added? When Virtualmin is first installed? Or does that occur after enabling SSL?
So far I haven't been able to reproduce that, but hearing how you're able to trigger it might help. Thanks!
Submitted by watermark on Thu, 10/16/2014 - 13:07 Pro Licensee Comment #2
Thanks for the quick reply.
Due to recent security bulletins, we went in to disable SSLv3. On an SSL enabled site, go "services", "configure website for SSL", "SSL options". Uncheck "SSLv2" and "SSLv3" so only TLSv1, TLSv1.1, and TLSv1.2 are still checked. It should generate the line "SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2" in your config. Which, evidently, is invalid on ubuntu 12.04.
Submitted by andreychek on Thu, 10/16/2014 - 13:17 Comment #3
Jamie, according to the Apache documentation, you can use the "TLSv1.1" and "TLSv1.2" options in "SSLProtocol" so long as you have openssl 1.0.1 or newer.
However, some Googling I've done suggests that you also need Apache 2.2.23 or higher to support those two protocols, although that's not mentioned in the Apache documentation.
I suspect that's the issue we're seeing here -- Ubuntu 12.04 only comes with Apache 2.2.22, which may not support "TLSv1.1" and "TLSv1.2".
Submitted by watermark on Thu, 10/16/2014 - 13:26 Pro Licensee Comment #4
If it's of any help, we worked around the issue by using "SSLProtocol ALL -SSLv2 -SSLv3". I've verified that this config disables SSLv2&3, and leaves TLS1.0-1.2 enabled.
Submitted by andreychek on Thu, 10/16/2014 - 13:29 Comment #5
Yeah, that's the best way to handle it for the time being.
I suspect what Jamie may do for the future is to prevent certain options from being enabled if they aren't supported, but we'll see what he says about that.
Submitted by JamieCameron on Thu, 10/16/2014 - 15:03 Comment #6
Yeah, that seems like the best option.
In Apache versions below 2.2.23, what is the name of the SSLProtocol option to allow TLS though?
Submitted by watermark on Thu, 10/16/2014 - 16:03 Pro Licensee Comment #7
I just ran my own tests and "-All +TLSv1" enables 1.0 - 1.2 in Apache 2.2.22. Feel free to verify. I believe this means that there is no method to enable 1.2 while having 1.0 disabled.
So I believe the best way of handling this is remove the ability to toggle 1.1 and 1.2 from apache < 2.2.23, and rename TLSv1 to something like TLSv1.x.
Submitted by JamieCameron on Thu, 10/16/2014 - 17:11 Comment #8
Good idea - this will be changed in the next Webmin release (1.720).
Submitted by Issues on Thu, 10/30/2014 - 17:20 Comment #9
Automatically closed -- issue fixed for 2 weeks with no activity.