12

Many SSL clients, notably JDK 6, use the SSLv2Hello protocol to handshake with the server. Using this protocol does not mean you are using SSL 2.0 or 3.0 for that matter; it is merely a handshake to determine which protocol to use. [https://www.rfc-editor.org/rfc/rfc5246#appendix-E.2]

However, in Apache, if you disable SSLv3 support, this apparently removes support for the SSLv2Hello protocol. Apache Tomcat has explicit support for SSLv2Hello; that is, you can enable that, but not enable SSLv3.

Is there any way to do this in Apache?

[Update]

This is my protocol config:

  SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3
Community
  • 1
Matt Hughes
  • 231
  • 1
  • 2
  • 5
  • `However, in Apache, if you disable SSLv3 support, this apparently removes support for the SSLv2Hello protocol.` I'm running Apache 2.2 with `SSLProtocol all -SSLv2 -SSLv3` and the SSL 2 handshake works. What configuration are you running exactly that you're having a problem. The only way I know to disable the SSL 2 Handshake is to enable FIPS mode. – Chris S Oct 17 '14 at 19:13
  • 1
    What a pain to handle that legacy support in 2014 :( . It's time for everyone to nuke SSLv2 & SSLv3 and make universal extensions support (e.g. SNI). – Xavier Lucas Oct 17 '14 at 19:36
  • 2
    @XavierLucas Instead of doing all -SSLv2, -SSLv3, I specify the TLS protocols I do support. I don't see why that would be different, but I will test. – Matt Hughes Oct 17 '14 at 19:51
  • @ChrisS I tried both: SSLProtocol +TLSv1 +TLSv1.1 +TLSv1.2 -SSLv3 and all -SSLv3 -SSLv2. This is running with Apache 2.4.10. Neither configuration appears to allow the SSL 2 handshake. And I have not touched FIPS mode; the default is that it is disabled. – Matt Hughes Oct 20 '14 at 13:16

2 Answers2

7

Apparently mod_ssl has changed in the last year or so (I haven't found the exact commit to the source, but found the "problem"). The source now does this:

If SSLProtocol only includes only one Protocol:
    Handshake = That Protocol's Handshake Only
Else
    Handshake = SSLv2 Handshake

There's no override for this setting. The only thing you could do is edit the source, recompile your own version. I've created a diff to force SSLv2 Handshake compatibility if you want to compile your own.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 1
    I can confirm, that Chris' patch helps -- curl (and libcurl-using programs such as git) can now talk to our server again, despite SSLv3 having been disabled -- without `sslscan` flagging any vulnerabilities. But the patch seems somewhat invasive and I'd like to ask Chris to submit it to Apache project for review ASAP. I'll file a ticket myself, if Chris does not :-) Thank you very much, Chris! – Mikhail T. Oct 28 '14 at 22:40
  • 1
    It'd be a better idea to add a separate directive to force compatibility mode. If I have some spare time I'll write that up, but I don't think this "patch" is a good idea in the long run. – Chris S Oct 29 '14 at 00:04
  • Yes, that appears to be, what Apache developers are considering. See the [thread][1] I started there... [1]https://mail-archives.apache.org/mod_mbox/httpd-dev/201410.mbox/%3C54501F91.2080104%40aldan.algebra.com%3E – Mikhail T. Oct 30 '14 at 01:18
1

So it turns out this was a non-issue all along. Apache will accept SSLv2 handshake with either of the configurations I posted above. I was misled by a handshake error into thinking this was the issue; it was really just a configuration issue where the server wasn't trusting the client's CA.

Matt Hughes
  • 231
  • 1
  • 2
  • 5