Hallo,
ich habe einen Apache Server aufgesetzt, der natürlich auch verschlüsselte Webseiten ausliefern soll:
sudo openssl ecparam -out /etc/ssl/private/apache_secp256k1.key -name secp256k1 -genkey
sudo openssl req -new -x509 -key /etc/ssl/private/apache_secp256k1.key -days 3650 -sha256 -out /etc/ssl/certs/apache.crt
# oder auch damit erfolglos:
sudo openssl genrsa -out /etc/ssl/private/apache_rsa2048.key 2048
sudo openssl req -new -x509 -key /etc/ssl/private/apache_rsa2048.key -days 3650 -sha256 -out /etc/ssl/certs/apache.crt
Meine listen.conf:
Listen 80
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
Listen 443
<VirtualHost *:443>
ServerName xxxx
SSLEngine on
SSLProtocol TLSv1
SSLCipherSuite "ECDHE-ECDSA-AES256-SHA"
SSLCertificateFile /etc/ssl/certs/apache.crt
SSLCertificateKeyFile /etc/ssl/private/apache_secp256k1.key
</VirtualHost>
</IfModule>
</IfDefine>
</IfDefine>
Alles anzeigen
apachectl -v
Server version: Apache/2.4.16 (Linux/SUSE)
Server built: 2015-11-05 13:32:23.000000000 +0000
openssl s_client -connect localhost:443 -tls1 -showcerts
CONNECTED(00000003)
depth=0 C = DE, ST = Germany, L = xxxxxxx, O = Internet Widgits Pty Ltd, CN = xxxxxx, emailAddress = webmaster@xxxxx
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = Germany, L = Karlsruhe, O = Internet Widgits Pty Ltd, CN = xxxxx, emailAddress = webmaster@xxxxx
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Germany/L=xxxx/O=Internet Widgits Pty Ltd/CN=xxxx/emailAddress=xxxx
i:/C=DE/ST=Germany/L=xxxx/O=Internet Widgits Pty Ltd/CN=xxxx/emailAddress=xxxx
-----BEGIN CERTIFICATE-----
MIICfDCCAiKgAwIBAgIJAMu/ZBDkaWu/MAoGCCqGSM49BAMCMIGbMQswCQYDVQQG
EwJERTEQMA4GA1UECAwHR2VybWFueTESMBAGA1UEBwwJS2FybHNydWhlMSEwHwYD
VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME3Job2Vud3Vy
ei5uby1pcC5iaXoxJTAjBgkqhkiG9w0BCQEWFndlYm1hc3RlckByaG9lbnd1cnou
ZGUwHhcNMTYwNDI3MjEyODQxWhcNMjYwNDI1MjEyODQxWjCBmzELMAkGA1UEBhMC
REUxEDAOBgNVBAgMB0dlcm1hbnkxEjAQBgNVBAcMCUthcmxzcnVoZTEhMB8GA1UE
CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRwwGgYDVQQDDBNyaG9lbnd1cnou
bm8taXAuYml6MSUwIwYJKoZIhvcNAQkBFhZ3ZWJtYXN0ZXJAcmhvZW53dXJ6LmRl
MFYwEAYHKoZIzj0CAQYFK4EEAAoDQgAEtwyaBVY40zIF0W4misdF1S0lgaDgRG7z
UJQdN903XhUg84gUcFPG9qa6tZbxIzrQTdF+7SX2NbXR6uRHjXVvBKNQME4wHQYD
VR0OBBYEFOnX3fKNQzG48i2M3tHOB5D39F3JMB8GA1UdIwQYMBaAFOnX3fKNQzG4
8i2M3tHOB5D39F3JMAwGA1UdEwQFMAMBAf8wCgYIKoZIzj0EAwIDSAAwRQIgbhdq
d6rwTofK+Ilz/3/xW6GDYViEZz1cgOjbyXO+LCECIQCMSAsqZT/983LJ0Vbyc2Dj
Yv72+lM7MyOMI7eN5kKhcA==
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=Germany/L=xxxx/O=Internet Widgits Pty Ltd/CN=xxxx/emailAddress=xxxx
issuer=/C=DE/ST=Germany/L=Karlsruhe/O=Internet Widgits Pty Ltd/CN=xxxx/emailAddress=xxxx
---
No client certificate CA names sent
---
SSL handshake has read 1152 bytes and written 303 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-ECDSA-AES256-SHA
Session-ID: 7E56E17D6D1B41E79016FB074A4514D27A0EB1B74136571647475E6A2AF32F4C
Session-ID-ctx:
Master-Key: 38D0A1D97A300514C7486EC67E9AB30C51D85C133BA1F084EFE47B4EEC943C4FAD27B8407ADDEE3266F119916F3AC276
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 0d da fa 47 6c e3 24 5c-c5 61 57 17 4b 9a 95 21 ...Gl.$\.aW.K..!
0010 - d5 9a 41 8a f8 ca a7 aa-09 b2 73 36 f4 52 43 15 ..A.......s6.RC.
0020 - d3 2a b5 40 10 73 43 9a-f2 e3 35 3a 34 51 1e 76 .*.@.sC...5:4Q.v
0030 - 93 a9 3a 95 82 e9 b6 f5-99 f5 c1 2f f2 3c ce 43 ..:......../.<.C
0040 - 7b 8e 1f 2f 0b 67 26 eb-e9 20 7f 3c e1 14 a1 56 {../.g&.. .<...V
0050 - 3b 12 47 78 ff d6 6e b5-61 6e 14 70 a5 3f 18 48 ;.Gx..n.an.p.?.H
0060 - e8 7d ee 5e d8 ce 66 60-a5 02 1a f6 c7 8e d8 2d .}.^..f`.......-
0070 - 8d 1a 35 bf 84 a8 fd 81-33 19 74 75 8f ec 18 09 ..5.....3.tu....
0080 - bc 0a 1e a1 09 24 7e c0-c9 38 78 fa cc 8b 8d 03 .....$~..8x.....
0090 - d4 4b 00 cd ad 10 c8 58-a9 be 03 c1 d6 2a 01 67 .K.....X.....*.g
00a0 - 6d b6 9e d5 3e fe 9a d0-50 c5 e4 c0 91 8f fa 37 m...>...P......7
00b0 - dd 6c 04 0c 0d f8 de 2a-31 55 13 8b 1a d8 bc ab .l.....*1U......
Start Time: 1461793427
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
Alles anzeigen
Google Chrome (Version 50.0.2661.86 (64-bit)) meldet partout immer wieder nur: "ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
This site can’t provide a secure connection
xxxx uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite. This is likely to be caused when the server needs RC4, which is no longer considered secure.
Firefox 45.1 meldet:
xxxx uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe.
Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP
Was mache ich bloß falsch?
Danke für jeden Tipp und jede Hilfe
Thomas