我在尝试禁用 Apache 上的 TLS 1.0 时遇到问题,如下所述: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol
$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built: Mar 5 2015 18:10:09
$ apt-cache policy apache2
apache2:
Installed: 2.2.22-1ubuntu1.8
$ openssl version -b -v
OpenSSL 1.0.1 14 Mar 2012
built on: Mon Apr 27 17:53:56 UTC 2015
$ apt-cache policy openssl
openssl:
Installed: 1.0.1-4ubuntu5.27
以下是我所做的其他 SSL 相关更改:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS:!DH
在 /etc/apache2/mods-enabled/ssl.conf 中启动 Apache 时
SSLProtocol +TLSv1.1 +TLSv1.2
结果是:
Syntax error on line 62 of /etc/apache2/mods-enabled/ssl.conf:
SSLProtocol: Illegal protocol 'TLSv1.1'
Action 'configtest' failed.
The Apache error log may have more information.
...fail!
当使用 /etc/apache2/mods-enabled/ssl.conf 中的以下内容启动 Apache 时:
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1
我暂时将LogLevel设置为debug,下面是apache启动失败后的日志输出:
[Tue May 26 10:02:44 2015] [info] removed PID file /var/run/apache2.pid (pid=17793)
[Tue May 26 10:02:44 2015] [notice] caught SIGTERM, shutting down
[Tue May 26 10:02:45 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:02:45 2015] [info] Init: Initializing (virtual) servers for SSL
当使用 /etc/apache2/mods-enabled/ssl.conf 中的以下内容启动 Apache 时:
SSLProtocol ALL -SSLv2 -SSLv3
启动成功并出现以下错误消息:
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [info] Init: Seeding PRNG with 656 bytes of entropy
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue May 26 10:03:04 2015] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 524288 bytes of shared memory
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(272): for 524208 bytes (524288 including header), recommending 32 subcaches, 136 indexes each
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(310): subcache_size = 16376
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 3280
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13096
[Tue May 26 10:03:04 2015] [debug] ssl_scache_shmcb.c(316): index_num = 136
[Tue May 26 10:03:04 2015] [info] Shared memory session cache initialised
[Tue May 26 10:03:04 2015] [info] Init: Initializing (virtual) servers for SSL
[Tue May 26 10:03:04 2015] [info] mod_ssl/2.2.22 compiled against Server: Apache/2.2.22, Library: OpenSSL/1.0.1
[Tue May 26 10:03:04 2015] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 configured -- resuming normal operations
[Tue May 26 10:03:04 2015] [info] Server built: Mar 5 2015 18:10:09
[Tue May 26 10:03:04 2015] [debug] prefork.c(1023): AcceptMutex: sysvsem (default: sysvsem)
apache 文档是否不正确?apache 是否以某种方式使用了旧版本的 openssl,因此不接受较新的协议标志?我还可以在这里尝试什么?