Recently we updated our mod_ssl config to disable SSLv3 for the POODLE attack, and that seems to be working. However, old clients (java 1.6 apps of ours, openssl 0.9.8za on my mac) get a handshake error, unless we specify TLSv1 in the code/command line respectively. However, from the same clients, I can initiate an SSL connection fine from those same tools to i.e. facebook.com, which also has SSLv3 disabled.
Symptom:
#working example site with SSLv3 disabled:
My-iMac:~ me$ openssl s_client -connect facebook.com:443
CONNECTED(00000003)
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
....
#My site with SSLv3 disabled:
My-iMac:~ me$ openssl s_client -connect site.company.com:443
CONNECTED(00000003)
66904:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52/src/ssl/s23_lib.c:182:
#Same site, now with -tls1 on command line, works:
My-iMac:~ me$ openssl s_client -connect site.company.com:443 -tls1
CONNECTED(00000003)
depth=1 /C=US/O=GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
....
My question - what can I do to let this and other clients connect/negotiate properly, automatically (like facebook.com), without having to specify tls1? Is this some known limitation of the version of openssl in RHEL5/Centos5?
Server setup: Centos 5.x, latest openssl rpm (openssl-0.9.8e-31.el5_11), custom built apache 2.4.10
Relevant apache config:
SSLEngine on
SSLProtocol -all +TLSv1
SSLHonorCipherOrder On
SSLCipherSuite RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV2:!eNULL
SSLCertificateFile /opt/ca/cert.pem
SSLCertificateChainFile /opt/ca/cert.pem