Related

Hacking attempt fixed with Fail2Ban, but high memory usage remains Question Question
SSL Certificate causing warnings in error.log and not working properly. https// does not work. Question Question

Question

Apache: Connetion reset after ssl client hello

Posted January 20, 2017 7.3k views
UbuntuApacheSecurity

Hi,

I have set up my first https web server and I ran into some trouble.
I have a 14.4LTS server and I used tis tutorial.
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

The servers listens on 443 and accepts telnet connections on 443.
Wireshark sees a valid tcp connection, a ssl Client hello, then a RST from the server.
gnutls-cli-debug gives output: Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1 and TLS 1.2
ssllabs.com: Assessment failed: No secure protocols supported

default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerAdmin webmaster@localhost

                DocumentRoot /var/www/html

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on
                SSLCipherSuite HIGH
                SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

                SSLCertificateFile      /etc/apache2/ssl/apache.crt
                SSLCertificateKeyFile /etc/apache2/ssl/apache.key

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0
                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

thanks in advance.

Add a comment
peeterswouter
By:
peeterswouter

Related

Hacking attempt fixed with Fail2Ban, but high memory usage remains Question Question
SSL Certificate causing warnings in error.log and not working properly. https// does not work. Question Question
Add a comment
1 comment
  • peeterswouter January 20, 2017
    Reply Report

    —UPDATE—
    On later inspection: openssl s_client -connect 127.0.0.1:443 -prexit run on the server itself did return a valid tls handshake.
    When I ran packet captures on both sides they both blamed the other end for resetting the connection. I have now contacted my provider to check there firewall.
    —SOLVED—
    Solved the application firewall only allowed http traffic.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
jtittle1 January 20, 2017

@peeterswouter

The guide you’ve linked to only covers adding the following lines to get your SSL certificate working:

SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

So what I recommend doing is removing the following lines and then restarting Apache:

SSLCipherSuite HIGH
SSLProtocol -ALL +SSLv3 +TLSv1.2 +TLSv1.1 +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite EECDH+ECDSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5:!DSS

As a general best-practice, you should always verify that your SSL is working before further setting up additional configuration parameters. Once it’s working and based on the suggestions from SSLLabs, you can then tweak the SSL configuration as needed to tighten up security.

That said, it’s important to keep in mind that the guide you’ve linked to covers creating a self-signed SSL certificate which won’t appear valid to most users and will most likely fail SSL tests since it’s not signed by a certificate authority.

To generate a valid SSL certificate that is signed, I’d highly recommend checking out the guide that covers LetsEncrypt below.

https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

How To Secure Apache with Let's Encrypt on Ubuntu 16.04
by Erika Heidi
This tutorial will show you how to set up a free TLS/SSL certificate from Let’s Encrypt on a Ubuntu 16.04 server running Apache as web server. TLS certificates are used within web servers to encrypt the traffic between server and client, providing extra security for users accessing your application.
Reply Report
  • peeterswouter January 20, 2017

    Hi jtittle, tnx for your reply.

    These lines where added later to specify Ciphers because the server did not except the ssl handshake. It didn’t work without these lines ether.

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help