Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Meaning
Explorer

Apache server down after disabling weak ciphers

Hi all:

This morning we followed the steps in sk147272 , after that we realized Apache server in api went down in SMS (R80.40 T158) In /var/log/httpd2_error_log file we saw entries like this:

[Tue Jun 28 15:21:20.792788 2022] [mime_magic:error] [pid 25154] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue Jun 28 15:21:20.792954 2022] [ssl:emerg] [pid 25154] AH02231: No SSL protocols available [hint: SSLProtocol]
[Tue Jun 28 15:21:20.792963 2022] [ssl:emerg] [pid 25154] AH02311: Fatal error initialising mod_ssl, exiting. See /usr/local/apache2/logs/error_log for more information
AH00016: Configuration Failed

The ciper suites and protocols in /web/templates/httpd-ssl.conf.templ  before the change were these:

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

We fixed the issue by replacing the httpd-ssl.conf.templ by the original one. We want to delete weak ciphers and protocols but the apache server must be running afther that.

Any advices?

Thanks a lot

Fran

0 Kudos
4 Replies
the_rock
Champion
Champion

I recall having this exact problem in R80.40 in lab sms and when I upgraded to R81.10, it went away.

0 Kudos
PhoneBoy
Admin
Admin

If an sk tells you to do something and it doesn't work, best to open a TAC case.

0 Kudos
Meaning
Explorer

It seems I found the solution. The changes you have to do in /web/templates/httpd-ssl.conf.templ file (acoording the sk I mentioned), should be done in /web/conf/extra/httpd-ssl.conf as well. After restart HTTPD daemon the Apache process restart and keeps stable.

Regards

0 Kudos
G_W_Albrecht
Legend
Legend

Wrong - see the SK:

7. Save the changes in the file and exit Vi editor.

8. Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

--> So changing /web/conf/extra/httpd-ssl.conf by hand is not suggested !

CCSE CCTE SMB Specialist
0 Kudos