Submitted by watermark on Tue, 01/27/2015 - 15:14 Pro Licensee
I'm assuming virtualmin is the package inserting the SSLCipherSuite into the apache config?
Apache fails to start when a website has SSL enabled. If there are no websites with SSL enabled, then apache starts fine. No error messages are displayed or logged (that I can find). Through trial and error, determined that the SSLCipherSuite causes the issue. When a different SSLCipherSuite is used, apache starts fine.
A fresh install of ubuntu 12.04, fully updated, no extra packages (no apache, no mysql, etc). Installed virtualmin using the install script. SSL enabled sites would not work until the SSLCipherSuite was changed.
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Tue, 01/27/2015 - 20:57 Comment #1
No, Virtualmin never sets the SSLCipherSuite directive in the Apache config.
Submitted by watermark on Sat, 01/31/2015 - 14:06 Pro Licensee Comment #2
This is still occurring on fresh installs today.
On a fresh install of Ubuntu 12.04.5. If you just install the "apache2" package, the config doesn't contain any SSLCipherSuite directives. On another fresh install, I install virtualmin with the installer script and a SSLCipherSuite is added to the apache config. If this isn't virtualmin doing it, it's a package that the virtualmin installer script is installing.
Do you know any kung-fu to figure out which of the packages installed in the installer script is causing this? Which package is adding the SSLCipherSuite directive to the apache2 config?
As reference, the directives that are different between a vanilla apache install and a virtualmin install:
SSLProtocol ALL -SSLv2SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:AES256-SHA256:RC4:HIGH:MEDIUM:+TLSv1:+TLSv1.1:+TLSv1.2:!MD5:!ADH:!aNULL:!eNULL:!NULL:!DH:!ADH:!EDH:!AESGCM
Submitted by JamieCameron on Sat, 01/31/2015 - 17:20 Comment #3
Actually, I'm curious as to why that SSL cipher suite isn't accepted. Does Apache log any reason when it fails to start up?
Submitted by watermark on Sat, 01/31/2015 - 18:12 Pro Licensee Comment #4
No errors are logged anywhere I can find. I looked in the main apache error log, the virtual server's error log, and the syslog. No errors are printed on the apache2 service start, it just says to check the error logs for more detail. I even enabled the ssl log and no errors are printed there.
Apache starts fine once the SSLCipherSuite is removed or changed to other combinations. I haven't put the time into figuring out which cipher is causing the issues.
Submitted by JamieCameron on Sun, 02/01/2015 - 00:43 Comment #5
Can you check which Apache version you are running there? The command
apachectl -vwill show it.I'd like to try re-producing this cipher issue on a test system.
Submitted by watermark on Sun, 02/01/2015 - 10:04 Pro Licensee Comment #6
It reports version 2.2.22, openssl version 1.0.1. Again, this is a fresh install of ubuntu server 12.04.5 64bit.
Submitted by JamieCameron on Sun, 02/01/2015 - 21:59 Comment #7
Ok,I found the bug here - turns out that the Virtualmin installer does set this, just in a different script to one the I was looking at initially. Apache 2.4 can handle this cipher list fine, but it is too much for Apache 2.2. I'll fix this in the next installer release.
Submitted by Issues on Sun, 02/15/2015 - 22:00 Comment #8
Automatically closed -- issue fixed for 2 weeks with no activity.