AnsweredAssumed Answered

Apache 2.4 vs 2.2 and Forward Secrecy oddness

Question asked by Robert Charles on Mar 6, 2015
Latest reply on Mar 6, 2015 by Adm Selec

I am in progress of attempting to move all of my production servers from Apache 2.2.15 to 2.4.6.  Everything has gone smoothly except when it comes to Forward Secrecy.  Using the exact same SSL settings do not yield the same results between two versions.

 

    SSLEngine On

    SSLProtocol all -SSLv2 -SSLv3

    SSLHonorCipherOrder on

    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

 

Using the above CipherSuite on Apache 2.2.15 returns this:

Apache2_2_handshake.png

 

Using that same CipherSuite on 2.4.6 returns this:

apache2_4_handshake.png

 

The one remaining difference that I could find was Apache 2.2.15 uses this for IE:

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

Apache 2.4.6 has this:

BrowserMatch "MSIE [2-5]" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

I attempted to make them match in various ways, but it seemed to have no impact on what the test here returns.

 

Any insight would be greatly appreciated.  I have tried various different cipher suites I found here and elsewhere, but I have never gotten Forward Secrecy to work for the majority of IE browsers under Apache 2.4.6.

 

Thank you.

Outcomes