Apache: Connetion reset after ssl client hello

January 20, 2017 1.5k views
Apache Security Ubuntu

Hi,

I have set up my first https web server and I ran into some trouble.
I have a 14.4LTS server and I used tis tutorial.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

The servers listens on 443 and accepts telnet connections on 443.
Wireshark sees a valid tcp connection, a ssl Client hello, then a RST from the server.
gnutls-cli-debug gives output: Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2
ssllabs.com: Assessment failed: No secure protocols supported

default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCipherSuite HIGH
                SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

                SSLCertificateFile      /etc/apache2/ssl/apache.crt
                SSLCertificateKeyFile /etc/apache2/ssl/apache.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

thanks in advance.

1 comment
  • ---UPDATE---
    On later inspection: openssl s_client -connect 127.0.0.1:443 -prexit run on the server itself did return a valid tls handshake.
    When I ran packet captures on both sides they both blamed the other end for resetting the connection. I have now contacted my provider to check there firewall.
    ---SOLVED---
    Solved the application firewall only allowed http traffic.

1 Answer

@peeterswouter

The guide you've linked to only covers adding the following lines to get your SSL certificate working:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

So what I recommend doing is removing the following lines and then restarting Apache:

SSLCipherSuite HIGH
SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

As a general best-practice, you should always verify that your SSL is working before further setting up additional configuration parameters. Once it's working and based on the suggestions from SSLLabs, you can then tweak the SSL configuration as needed to tighten up security.

That said, it's important to keep in mind that the guide you've linked to covers creating a self-signed SSL certificate which won't appear valid to most users and will most likely fail SSL tests since it's not signed by a certificate authority.

To generate a valid SSL certificate that is signed, I'd highly recommend checking out the guide that covers LetsEncrypt below.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

This tutorial will show you how to set up a free TLS/SSL certificate from Let’s Encrypt on a Ubuntu 16.04 server running Apache as web server. TLS certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application.
  • Hi jtittle, tnx for your reply.

    These lines where added later to specify Ciphers because the server did not except the ssl handshake. It didn't work without these lines ether.

Have another answer? Share your knowledge.