Question

Apache: Connetion reset after ssl client hello

Hi,

I have set up my first https web server and I ran into some trouble. I have a 14.4LTS server and I used tis tutorial. https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

The servers listens on 443 and accepts telnet connections on 443. Wireshark sees a valid tcp connection, a ssl Client hello, then a RST from the server. gnutls-cli-debug gives output: Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2 ssllabs.com: Assessment failed: No secure protocols supported

default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCipherSuite HIGH
                SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

                SSLCertificateFile      /etc/apache2/ssl/apache.crt
                SSLCertificateKeyFile /etc/apache2/ssl/apache.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

thanks in advance.

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

@peeterswouter

The guide you’ve linked to only covers adding the following lines to get your SSL certificate working:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

So what I recommend doing is removing the following lines and then restarting Apache:

SSLCipherSuite HIGH
SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

As a general best-practice, you should always verify that your SSL is working before further setting up additional configuration parameters. Once it’s working and based on the suggestions from SSLLabs, you can then tweak the SSL configuration as needed to tighten up security.

That said, it’s important to keep in mind that the guide you’ve linked to covers creating a self-signed SSL certificate which won’t appear valid to most users and will most likely fail SSL tests since it’s not signed by a certificate authority.

To generate a valid SSL certificate that is signed, I’d highly recommend checking out the guide that covers LetsEncrypt below.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04