Fedora Configuration to enable TLS 1.2 - linux

I want to enable TLS 1.2 on the linux server to access third party ERP system. Please guide me through the steps and commands that I have to follow.
My Apache version: Apache/2.2.9 (Unix)
My OpenSSL version: OpenSSL 0.9.8b 04 May 2006
Thanks in advance.

Unless Fedora provides backports for TLS 1.2, the versions you mention are too old:
OpenSSL: Supported since version
1.0.1
Apache httpd: Introduced in
2.2.23
Anyway you can check if it actually is supported. Restrict the allowed protocols to TLS 1.2 only and try connecting with a recent browser. Edit your httpd.conf to:
SSLProtocol TLSv1.2

Related

How to fix "SSLv3/TLS Renegotiation Stream Injection" vulnerability?

My server inspected an "SSLv3/TLS Renegotiation Stream Injection(10942)" vulnerability.
Suggested fix said
use openssl-0.9.8l or use apache patch 2.2.14/CVE-2009-3555-2.2
but my openssl version is 1.1.1 and my apache version is 2.4.29(Ubuntu)
seems like I don't need to upgrade openssl or apache
what else can I do?
PS: my config is: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Problem curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

i have problem to run script on kindle reader. i did jailbrake on it and it shows me system version
Linux kindle 2.6.31-rt11-lab126 #5 Sat Jan 12 20:39:09 PST 2013 armv7l unknown
the problem is with running the script to download the png image
curl https://kindle-pindle.herokuapp.com/ -o status.png
an error is returned
curl: (35) error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
I read that it's probably about a bad version of curl but I can't do anything to install a new version because there is no apt-get or sudo in systm so I don't know how to do it
are there maybe other ways to deal with this?
The target site requires at least TLS 1.2. Given the age of what you are running (according to the kernel version) this is likely not supported by the TLS stack on your device.
There is probably no way to download the file directly from the device though. You should be able to download the file on a different device and transfer it to the device though or maybe redistribute it through your own web server which has TLS 1.0 enabled.

SSL Library Error: error: SSL routines:ssl3_get_client_hello:no shared cipher - Too restrictive SSLCipherSuite or using DSA server certificate

Below is the problem:
I compiled apache http server 2.4.34 with Openssl 1.0.2p.
When I use the ciphersuite supporting TLSv1.2, TLSv1.1, TLSv1(Intermediate compatibility), It works.
But I get below error when I use high security CipherSuite supporting only TLSv1.2(Modern Compatibility).
Error in apache debug logs:::
SSL Library Error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher -- Too restrictive SSLCipherSuite or using DSA server certificate
Ciphersuite(Modern) from "https://wiki.mozilla.org/Security/Server_Side_TLS":::
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
Please help me solve this issue.
The client does not have your RSA certificate

Apache: Failed to configure CA certificate chain

Pre-note: The certificates was purchased from a vendor and are valid till 2018
Our Apache for one of our servers (Ubuntu 12.04) crashed this morning. Trying to restart Apache kept giving us the following error message
[Wed Jun 03 12:21:51.875811 2015] [ssl:emerg] [pid 30534] AH01903: Failed to configure CA certificate chain!
[Wed Jun 03 12:21:51.875846 2015] [ssl:emerg] [pid 30534] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
After removing the following line from apache config
SSLCertificateChainFile /etc/apache2/ssl/wck.bundle
Apache reloaded.
The server did not restart so I am sure no updates where done by accident.
I then proceeded to try and get it up and running on one of the 14.04 Ubuntu servers we own. The same problem occurred with the same certificates. I asked the guy who setup the 14.04 apache and he claims the problem we suddenly experienced today with the 12.04 server has always happened on the 14.04 server.
I tried reproducing the error on my local 14.04 by installing a new Apache and copying the certificates and one of the config files for one of the sites to my local machine. On my local machine after the setup everything worked perfectly.
I have tried comparing openssl versions, lib version between the two 14.04, but everything looks the same. I even upgraded both my local machine and the 14.04 server to ensure the libs and Apache version are identical, but the one works and the other one doesn't and I recon If I can solve this problem for the 14.04 Ubuntu server it will provide me with the information to get the ssl certificate chain up and running on the 12.04 Machine.
Does anyone have an idea why suddenly the 12.04 Ubuntu's Apache would stop working with the ssl certaficate chain and the 14.04 server also produces the same error, but my local 14.04 does not?
Any help would be appreciated.
Thanks in advance.

stunnel problems on Ubuntu 14 and Linux Mint 17

I installed stunnel4 from the program manager. When I try to run stunnel on either of Ubuntu 14 or Linux Mint 17, I get the message below. I have this working on CentOS6.5 and on MacOS X Mavericks. Not sure what to try next. Rebuilding openssl is a mess, if that is even the problem.
idf#idf-ZBOX-ID42-BE ~ $ sudo stunnel
Clients allowed=500
stunnel 4.53 on x86_64-pc-linux-gnu platform
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
Update OpenSSL shared libraries or rebuild stunnel
Threading:PTHREAD SSL:+ENGINE+OCSP Auth:LIBWRAP Sockets:POLL+IPv6
Reading configuration from descriptor 3
Compression not enabled
PRNG seeded successfully
Initializing inetd mode configuration
Section stunnel: SSL server needs a certificate
str_stats: 2 block(s), 10 data byte(s), 116 control byte(s)
idf#idf-ZBOX-ID42-BE ~ $
my conf file looks like this:
idf#idf-ZBOX-ID42-BE ~ $ more /etc/stunnel/stunnel.conf
;Example stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Certificate/key is needed in server mode and optional in client mode
; The default certificate is provided only for testing and should not
; be used in a production environment
;cert = stunnel.pem
;key = stunnel.pem
cert = /home/idf/Downloads/cert.pem
key = /home/idf/Downloads/key.pem
fips = no
libwrap=no
;
;Protocol version (all, SSLv2, SSLv3, TLSv1)
;sslVersion = all
sslVersion = all
ciphers = ALL
;
; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/run/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /home/idf/stunnel.pid
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS
; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = cacerts.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem
; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel/stunnel.log
; Use it for client mode
client = yes
; Service-level configuration
[xxxxxxx-xxx-xxxxx]
client = yes
accept = 127.0.0.1:9099
connect= xx.xx.xx.xx:2506
; vim:ft=dosini
idf#idf-ZBOX-ID42-BE ~ $
If I uninstall the stunnel that is in the repository and replace it with this one:
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
I still get even if I disable compression. I don't understand why it is telling me about the "Service [stunnel]: SSL server needs a certificate" since I am trying to use it only in client mode. Also, the other end does not need a certificate.
idf#idf-ZBOX-ID42-BE ~/Downloads $ sudo stunnel
[ ] Clients allowed=500
[.] stunnel 5.01 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.0.1f 6 Jan 2014
[.] Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
[ ] errno: (*__errno_location ())
[.] Reading configuration from descriptor 3
[.] FIPS mode disabled
[ ] Compression disabled
[ ] PRNG seeded successfully
[ ] Initializing inetd mode configuration
[!] Service [stunnel]: SSL server needs a certificate
idf#idf-ZBOX-ID42-BE ~/Downloads $ ps ax | grep stunnel
i just beat my way thru this the other day.
you want stunnel4_5.01-3_amd64.deb - you'll have to download that - not in the repos yet. i believe someone made it work with 4.53, but i didn't manage it.
https://launchpad.net/ubuntu/utopic/amd64/stunnel4/3:5.01-3
openssl 1.0.1f and libssl.1.0.0 and libssl.1.0.0:i386 1.0.1f (they're the current versions) are good. but note this from your start output:
Compiled with OpenSSL 1.0.1e 11 Feb 2013
Running with OpenSSL 1.0.1f 6 Jan 2014
i think updating stunnel as described above will sort that for you.
and the other thing you need to do is turn off compression in your stunnel.conf - none of the different types of compression i tried currently work. hopefully, that's temporary.
regards,
hth
(I'm the same guys as above user3694589 - finally bothered to create an account.)
FYI, I just subscribed myself to this related bug and marked it as affecting me on launchpad.net:
https://bugs.launchpad.net/ubuntu/+source/stunnel4/+bug/1315844
You might want to add yourself as well. Several minutes later, I got this email:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: stunnel4 (Ubuntu)
Status: New => Confirmed
-- You received this bug notification because you are subscribed to the bug report. https://bugs.launchpad.net/bugs/1315844 Title: won't start with compression on

Resources