This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Meaning
Explorer
‎2022-06-28 08:12 AM

Apache server down after disabling weak ciphers

Hi all:

This morning we followed the steps in sk147272 , after that we realized Apache server in api went down in SMS (R80.40 T158) In /var/log/httpd2_error_log file we saw entries like this:

[Tue Jun 28 15:21:20.792788 2022] [mime_magic:error] [pid 25154] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue Jun 28 15:21:20.792954 2022] [ssl:emerg] [pid 25154] AH02231: No SSL protocols available [hint: SSLProtocol]
[Tue Jun 28 15:21:20.792963 2022] [ssl:emerg] [pid 25154] AH02311: Fatal error initialising mod_ssl, exiting. See /usr/local/apache2/logs/error_log for more information
AH00016: Configuration Failed

The ciper suites and protocols in /web/templates/httpd-ssl.conf.templ  before the change were these:

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

We fixed the issue by replacing the httpd-ssl.conf.templ by the original one. We want to delete weak ciphers and protocols but the apache server must be running afther that.

Any advices?

Thanks a lot

Fran

0 Kudos
4 Replies
the_rock
Champion
Champion
‎2022-06-28 08:48 AM

I recall having this exact problem in R80.40 in lab sms and when I upgraded to R81.10, it went away.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-28 10:16 AM

If an sk tells you to do something and it doesn't work, best to open a TAC case.

0 Kudos
Meaning
Explorer
‎2022-06-29 06:12 AM

It seems I found the solution. The changes you have to do in /web/templates/httpd-ssl.conf.templ file (acoording the sk I mentioned), should be done in /web/conf/extra/httpd-ssl.conf as well. After restart HTTPD daemon the Apache process restart and keeps stable.

Regards

0 Kudos
G_W_Albrecht
Legend
Legend
‎2022-06-29 06:39 AM
In response to Meaning

Wrong - see the SK:

7. Save the changes in the file and exit Vi editor.

8. Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

--> So changing /web/conf/extra/httpd-ssl.conf by hand is not suggested !

CCSE CCTE SMB Specialist
0 Kudos