• 13
name Punditsdkoslkdosdkoskdo

TLSv1 dosnt work witout enabling the sslv2

I'm using Apache 2.2.4 version. I already know this version only support SSLv2, SSLv3 and TLSv1.0, but something weird happens when I use it:

When SSLv2 is disabled, the web browser (internet explorer in my case) uses SSLv3

SSL 3.0, 3DES with 168 bit encryption (High); RSA with 2048 bit exchange.

When I enable SSLv2, the web browser uses TLSv1.0:

TLS 1.0, AES with 256 bit encryption (High); RSA with 2048 bit exchange

And finally when I disable both protocols (SSLv2 and v3), web page doesn't load at all!

I used this config for Apache:

SSLProtocol all
SSLCipherSuite all

Would you please explain this for me? How can use TLSv1.0 without enabling SSLv2?

      • 1
    • @SteffenUllrich: sadly I fear this is not a misconfiguration, but a browser """feature""" complying with RFC specifications (see my answer below)...
      • 1
    • I wonder how you got this information from this (for me) mostly incomprehensible question which even talks about tlsv3 (which does not exist).
    • I think "tlsv3" is most probably a typo, since later he correctly talks about "tlsv1". Anyway the title seems clearer than the question itself, which is mainly: A) with SSLv2, SSLv3 and TLSv1 enabled, the browser use TLSv1, B) if SSLv2 is disabled the browser stops using TLSv1 but uses SSLv3 instead, C) if both SSLv2 and SSLv3 are disabled the browser claims it cannot connect to the server (while TLSv1 is still enabled). And this "magic" is the correct behavior requested by the RFC for clients supporting SSLv2.

This behavior is caused by the original specification from TLS v1 RFC (RFC 2246, section "E. Backward Compatibility With SSL").

Basically this RFC states that most server will not use different listening port for different versions of SSL/TLS. Therefore to ensure backward compatibility software are recommended to first initiate the connection using an "old" SSL hello message, then upgrade the connection to TLS when it is supported on both sides, and never try to establish a connection directly using TLS ("TLS 1.0 clients that support SSL Version 2.0 servers must send SSL Version 2.0 client hello messages").

Previous versions of Java (JRE5) used to have this behavior, it was improved with newer versions which now handle TLS handshake directly. Maybe you should check you browser version and patch level and check if this behavior persists after disabling SSLv2 on browser side too.

  • 1
Reply Report

Warm tip !!!

This article is reproduced from Stack Exchange / Stack Overflow, please click

Trending Tags