由于SSLProtocol的原因,httpd失败了:centos的非法协议“TLSv1.1”。

时间:2021-01-30 16:53:30

I am trying to update TLS1 to TLS1.1 or higher but after doing below changes, Getting error "SSLProtocol: Illegal protocol 'TLSv1.1'"

我正在尝试将TLS1更新到TLS1.1或更高,但是在做了以下更改之后,出现了错误“SSLProtocol:非法协议‘TLSv1.1’”

My Apache and openssl version are :-

我的Apache和openssl版本是:-

httpd -v

httpd - v

Server version: Apache/2.4.2 (Unix) Server built: Jul 16 2012 21:11:37

服务器版本:Apache/2.4.2 (Unix)服务器构建:2012年7月16日21:11:37

openssl version -a

openssl版本——

OpenSSL 1.0.1e-fips 11 Feb 2013 built on: Tue Sep 27 12:27:19 UTC 2016

OpenSSL 1.0.1e-fips 11构建于:Tue Sep 27 12:27:19 UTC 2016

Centos-version (6.7)

Centos-version(6.7)

rpm --query centos-release

rpm——查询centos-release

centos-release-6-7.el6.centos.12.3.x86_64

centos -释放- 6 - 7. - el6.centos.12.3.x86_64

Did changes for ssl :-

ssl更改了吗

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

SSLProtocol -all +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

SSLProtocol -all +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

SSLHonorCipherOrder on

SSLHonorCipherOrder上

I am not sure what is missing here, can anybody help me here?

我不知道这里少了什么,有人能帮我一下吗?

1 个解决方案

#1


0  

Apache has to be compiled with OpenSSL when its installed.

Apache安装时必须使用OpenSSL进行编译。

Your Apache was apparently compiled back in 16th Jul 2012 when Apache 1.0.1 wasn't even released yet. So guessing it was compiled with the previous version (0.9.8) which doesn't support TLSv1.1.

您的Apache显然是在2012年7月16日编译的,当时Apache 1.0.1还没有发布。所以猜测它是用不支持TLSv1.1的上一个版本(0.9.8)编译的。

At some point in the future someone has upgraded OpenSSL to a later version but not recompiled Apache.

在将来的某个时候,有人将OpenSSL升级到后来的版本,而不是重新编译的Apache。

As Apache 2.4 wasn't available as a packaged version way back in 2012 someone must have installed it manually and it's stayed on that old version ever since. I suggest you look in yum for a supported 2.4 version which may be available now or install it from source.

因为Apache 2.4在2012年还不能作为打包版本使用,所以一定有人手动安装了它,而且从那以后它就一直停留在旧版本上。我建议您在yum中查找支持的2.4版本,该版本现在可以使用,或者从源代码中安装。

#1


0  

Apache has to be compiled with OpenSSL when its installed.

Apache安装时必须使用OpenSSL进行编译。

Your Apache was apparently compiled back in 16th Jul 2012 when Apache 1.0.1 wasn't even released yet. So guessing it was compiled with the previous version (0.9.8) which doesn't support TLSv1.1.

您的Apache显然是在2012年7月16日编译的,当时Apache 1.0.1还没有发布。所以猜测它是用不支持TLSv1.1的上一个版本(0.9.8)编译的。

At some point in the future someone has upgraded OpenSSL to a later version but not recompiled Apache.

在将来的某个时候,有人将OpenSSL升级到后来的版本,而不是重新编译的Apache。

As Apache 2.4 wasn't available as a packaged version way back in 2012 someone must have installed it manually and it's stayed on that old version ever since. I suggest you look in yum for a supported 2.4 version which may be available now or install it from source.

因为Apache 2.4在2012年还不能作为打包版本使用,所以一定有人手动安装了它,而且从那以后它就一直停留在旧版本上。我建议您在yum中查找支持的2.4版本,该版本现在可以使用,或者从源代码中安装。