Apache/2.4.29 (Ubuntu) OpenSSL 1.1.1d and TLS 1.3 support
Page 1 of 1 (3 posts)
Tags:
None
Registered Member 
|
Hi,
Fixing the folowing problem is very urgent. We don't understand where the problem comes from because Apache configurations and components are the same. We have some development PC on KDE-Neon 5.17 with Apache/2.4.29 (Ubuntu) and OpenSSL 1.1.1d 10 Sep 2019, if run this command to this PC, we have a problem, your system does not support TLS 1.2 or TLS 1.3 like the following traces show: openssl s_client -debug -connect workdev01.org.fr:443 CONNECTED(00000003) write to 0x162d080 [0x163cf10] (317 bytes => 317 (0x13D)) 0000 - 16 03 01 01 38 01 00 01-34 03 03 96 b8 f6 ab be ....8...4....... 0010 - 6f 64 b7 6c 76 2e 5d b1-7c c5 b8 c5 65 24 3e f7 od.lv.].|...e$>. 0020 - 0b 16 eb fc 64 b6 3d 30-db 6b 5c 20 ed b5 57 21 ....d.=0.k\ ..W! 0030 - b5 be 5c 3b 50 fc 83 77-59 97 30 67 87 5b b3 cd ..\;P..wY.0g.[.. 0040 - 1a b7 e8 d2 52 fc c9 2f-64 d1 23 35 00 3e 13 02 ....R../d.#5.>.. 0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........ 0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.' 0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3.. 0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 ad ...=.<.5./...... read from 0x162d080 [0x1633cf3] (5 bytes => 5 (0x5)) 0000 - 48 54 54 50 2f HTTP/ 140225635791936:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 317 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x162d080 [0x1621eb0] (8192 bytes => 484 (0x1E4)) 0000 - 31 2e 31 20 34 30 30 20-42 61 64 20 52 65 71 75 1.1 400 Bad Requ 0010 - 65 73 74 0d 0a 44 61 74-65 3a 20 46 72 69 2c 20 est..Date: Fri, 0020 - 32 34 20 4a 61 6e 20 32-30 32 30 20 31 35 3a 32 24 Jan 2020 15:2 0030 - 39 3a 35 31 20 47 4d 54-0d 0a 53 65 72 76 65 72 9:51 GMT..Server 0040 - 3a 20 41 70 61 63 68 65-2f 32 2e 34 2e 32 39 20 : Apache/2.4.29 0050 - 28 55 62 75 6e 74 75 29-0d 0a 43 6f 6e 74 65 6e (Ubuntu)..Conten 0060 - 74 2d 4c 65 6e 67 74 68-3a 20 33 30 37 0d 0a 43 t-Length: 307..C 0070 - 6f 6e 6e 65 63 74 69 6f-6e 3a 20 63 6c 6f 73 65 onnection: close 0080 - 0d 0a 43 6f 6e 74 65 6e-74 2d 54 79 70 65 3a 20 ..Content-Type: 0090 - 74 65 78 74 2f 68 74 6d-6c 3b 20 63 68 61 72 73 text/html; chars 00a0 - 65 74 3d 69 73 6f 2d 38-38 35 39 2d 31 0d 0a 0d et=iso-8859-1... 00b0 - 0a 3c 21 44 4f 43 54 59-50 45 20 48 54 4d 4c 20 .<!DOCTYPE HTML 00c0 - 50 55 42 4c 49 43 20 22-2d 2f 2f 49 45 54 46 2f PUBLIC "-//IETF/ 00d0 - 2f 44 54 44 20 48 54 4d-4c 20 32 2e 30 2f 2f 45 /DTD HTML 2.0//E 00e0 - 4e 22 3e 0a 3c 68 74 6d-6c 3e 3c 68 65 61 64 3e N">.<html><head> 00f0 - 0a 3c 74 69 74 6c 65 3e-34 30 30 20 42 61 64 20 .<title>400 Bad 0100 - 52 65 71 75 65 73 74 3c-2f 74 69 74 6c 65 3e 0a Request</title>. 0110 - 3c 2f 68 65 61 64 3e 3c-62 6f 64 79 3e 0a 3c 68 </head><body>.<h 0120 - 31 3e 42 61 64 20 52 65-71 75 65 73 74 3c 2f 68 1>Bad Request</h 0130 - 31 3e 0a 3c 70 3e 59 6f-75 72 20 62 72 6f 77 73 1>.<p>Your brows 0140 - 65 72 20 73 65 6e 74 20-61 20 72 65 71 75 65 73 er sent a reques 0150 - 74 20 74 68 61 74 20 74-68 69 73 20 73 65 72 76 t that this serv 0160 - 65 72 20 63 6f 75 6c 64-20 6e 6f 74 20 75 6e 64 er could not und 0170 - 65 72 73 74 61 6e 64 2e-3c 62 72 20 2f 3e 0a 3c erstand.<br />.< 0180 - 2f 70 3e 0a 3c 68 72 3e-0a 3c 61 64 64 72 65 73 /p>.<hr>.<addres 0190 - 73 3e 41 70 61 63 68 65-2f 32 2e 34 2e 32 39 20 s>Apache/2.4.29 01a0 - 28 55 62 75 6e 74 75 29-20 53 65 72 76 65 72 20 (Ubuntu) Server 01b0 - 61 74 20 66 72 66 31 31-32 78 2e 73 61 63 64 2e at frf112x.sacd. 01c0 - 66 72 20 50 6f 72 74 20-38 30 3c 2f 61 64 64 72 fr Port 80</addr 01d0 - 65 73 73 3e 0a 3c 2f 62-6f 64 79 3e 3c 2f 68 74 ess>.</body></ht 01e0 - 6d 6c 3e 0a ml>. read from 0x162d080 [0x1621eb0] (8192 bytes => 0 (0x0)) We have some servers on Ubuntu 18.04 with Apache/2.4.29 (Ubuntu) and OpenSSL 1.1.1d 10 Sep 2019, if run this command to this server, we have no problem like the following traces show : openssl s_client -debug -connect serverdevxn01.org.fr:443 CONNECTED(00000003) write to 0x249a080 [0x24aac50] (321 bytes => 321 (0x141)) 0000 - 16 03 01 01 3c 01 00 01-38 03 03 10 15 df de 0f ....<...8....... 0010 - b7 ab fb e1 59 84 0f 23-c7 34 68 9c a6 e7 ca 30 ....Y..#.4h....0 0020 - b8 fd 9d 73 0b d1 8a ef-2c 08 5d 20 24 9a 04 f5 ...s....,.] $... 0030 - af 81 39 83 da 65 42 5c-fc aa 43 66 e1 ea 9d ff ..9..eB\..Cf.... 0040 - 2e f1 e6 3b aa ae 7f 6a-a9 38 ac 5b 00 3e 13 02 ...;...j.8.[.>... ... --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3420 bytes and written 414 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: CDC48AA7AE09FE5110B3EDAB5A60B7AA7E86D99A90D7F3E65733FBBCEE563E06 Session-ID-ctx: Master-Key: 670073A4994F61BC9CD86D8FA524C85F2F5A18FD59E6DF72DB9E35BE4C17FC2FD91CF2819DB87E4723E8B0A2491B2C4D PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 18 ad 51 5d 06 04 48 ca-be b7 00 ce 1b d9 8f 14 ..Q]..H......... 0010 - e8 a5 b4 47 76 49 5e 96-1e 9b c1 d5 78 8f b5 c5 ...GvI^.....x... 0020 - 12 ce 20 88 a5 d3 0f df-2a 34 68 86 fd 77 61 46 .. .....*4h..waF 0030 - 53 29 17 bd 82 23 8d 44-7c fb ed 10 8f 1f b3 06 S)...#.D|....... 0040 - 5c a5 ef 12 7a 8b 92 90-0b a7 28 b3 69 1d 48 7b \...z.....(.i.H{ 0050 - 6a 7a 3b ea 65 7b 07 fd-c5 b0 7b 85 50 e1 81 0d jz;.e{....{.P... 0060 - ba d2 b1 e0 0d b2 50 f2-4e c5 a8 a6 e4 e4 ff ff ......P.N....... 0070 - dc e4 67 a0 5f 91 d4 2a-4f 20 8b 06 6b ac 4f 16 ..g._..*O ..k.O. 0080 - 1c d0 a3 3d 5c 89 2b 7a-af 99 b9 68 21 2a 7d f8 ...=\.+z...h!*}. 0090 - d0 22 42 e9 35 5a a9 f2-a0 7f b7 f4 21 73 89 7b ."B.5Z......!s.{ 00a0 - e8 73 02 a1 b9 7c 0a 61-0b f7 82 41 38 67 1a 25 .s...|.a...A8g.% 00b0 - d8 2b a7 64 b0 21 c4 89-2d d3 19 65 6d 07 07 e7 .+.d.!..-..em... 00c0 - 0c 5e ee 64 26 d8 fe 8e-d5 7c 4d 32 f8 c9 2e e2 .^.d&....|M2.... 00d0 - 66 df a3 7d 00 1c 2e 31-7c 6d b3 84 b8 6e 4a 16 f..}...1|m...nJ. Start Time: 1579878893 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- DONE write to 0x249a080 [0x24a5a93] (31 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a 46 df c9-e4 c0 ad 3c 94 0a b7 e8 .....F.....<.... 0010 - 8d e2 e3 d8 83 39 e5 a6-9a d2 cd 3b 97 0b dd .....9.....;... read from 0x249a080 [0x248eeb0] (8192 bytes => 31 (0x1F)) 0000 - 15 03 03 00 1a f7 bb ce-f9 92 b2 eb 5a b7 26 7a ............Z.&z 0010 - 94 24 fb 47 73 f3 72 5d-12 a3 ee 4f 61 1d d5 .$.Gs.r]...Oa.. read from 0x249a080 [0x248eeb0] (8192 bytes => 0 (0x0)) For your system to accept the connection, you must invalidate a good part of the protocols : openssl s_client -no_tls1 -no_tls1_1 -no_tls1_2 -no_tls1_3 -debug -connect workdev01.org.fr:443 CONNECTED(00000003) write to 0x24db110 [0x24eafa0] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 50 ......P 140601540125760:error:141E70BF:SSL routines:tls_construct_client_hello:no protocols available:../ssl/statem/statem_clnt.c:1113: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 7 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- read from 0x24db110 [0x24cfeb0] (8192 bytes => 0 (0x0)) |
|
Registered Member
|
Well, according to KDE Neon FAQ: " KDE neon focuses on KDE software, most other software is not supported and you should not be surprised if you can not install it or it stops working at any point in time due to an update."
Anyway, it is not a good idea to run a server software on a "distro" that focuses on (KDE Plasma) desktop and ask for help in corresponding forum. I'd recommend to use Ubuntu Server or any other server oriented distro for that. |
|
Registered Member
|
Hello,
Thanks for your response. We want a KDE Plasma 5 Work station for ours developments based on Ubuntu 18.04 or Debian 10 as last resort. Before, we used Linux Mint KDE (18.3), but they abandoned KDE. Do you have a solution for us if KDE Neon cannot fulfill this role. Best regards. |
Page 1 of 1 (3 posts)
Bookmarks
Who is online
Registered users: Bing [Bot], Google [Bot], Yahoo [Bot]
