SSLProtocol: Illegal protocol 'TLSv1.1' in linux

Question

I know u think this a duplicate question but hear me out first. I am not able to find the answer with a system with same conf as min so here is my server conf:

Red Hat 4.1.2-44
CentOS release 5
OpenSSL 1.0.2a
Server version: Apache/2.2.3

I am having protocol issue when I installed a new SSL certificate.I found out that I had TLSv1 enabled. I then looked at an article(link: https://www.leaderssl.com/news/471-how-to-disable-outdated-versions-of-ssl-tls-in-apache) to try to disable TLSv1. I have tried number off possible solutions but I am getting either Illegal protocol 'TLSv1.1' in linux error or No SSL protocols available [hint: SSLProtocol]

I get Illegal protocol 'TLSv1.1' when restart command (service httpd restart) fails after I change SSL protocol to SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1`)

and when I apply the SSL protocol: SSLProtocol all -SSLv2 -SSLv3, the server restarts successfully but I get the error in the error log of httpd saying No SSL protocols available [hint: SSLProtocol]

Answer 1

CentOS 5 is several years past end of life (March 2017) and will never support TLS 1.1 or higher, not even if you attempt to replace critical system libraries as someone seems to have done with this system.

This system should have been upgraded several years ago. It can no longer be postponed. If you want support for TLS 1.1 and higher, you need to upgrade to a currently supported CentOS release (7 or 8, preferred 8).

Answer 2

WARNING: AWFUL HACK APPROACHING

I'm very surprised you have OpenSSL 1.0.2a. The one test VM I have archived with CentOS 5.6 has 1.0.1e and rpmfind shows the same for 6.10, so I wouldn't expect any 5 to have higher. However, both 1.0.1 and 1.0.2 implement(ed) TLSv1.1 and TLSv1.2; it is your way-old Apache version that doesn't know how to configure them in OpenSSL. So:

• specify SSLProtocols all -SSLv3 -TLSv1

• make sure SSLCiphers disables all SSLv2 ciphersuites. The /etc/ssl/conf.d/ssl.conf in my mod_ssl package, which is 2.2.15 (higher than yours if it's in sync with the rest of Apache), already has !SSLv2 among several 'deletes', but if yours didn't, or it has been removed/changed/replaced in your configuration, add it

As a result of this combination, Apache thinks there is a protocol enabled, namely SSLv2, but because the ciphersuites for SSLv2 are disjoint from those for higher protocols, the ciphersuite setting prevents any SSLv2 handshake from actually succeeding, thus handling any insanely stupid clients or (more important) security scanners and auditors. SSLv3 and TLSv1.0 are disabled as specified, and TLSv1.1 and TLSv1.2 (both) remain enabled because your Apache didn't (and couldn't) disable them. Works when tested on a copy of my abovementioned archive VM.

Do NOT use SSLProtocols SSLv2 as an 'abbreviation'. I'm not sure, but that might lead mod_ssl to use the specific SSLv2 method (i.e. function) rather than the the generic method (misleadingly named SSLv23 in those versions of OpenSSL; in 1.1.x it was finally fixed to TLS_*method) with 'option' flags. You absolutely need the latter.

That said, I agree with Michael: replace this system ASAP