This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Meaning
Explorer
‎2022-06-28 08:12 AM

Apache server down after disabling weak ciphers

Hi all:

This morning we followed the steps in sk147272 , after that we realized Apache server in api went down in SMS (R80.40 T158) In /var/log/httpd2_error_log file we saw entries like this:

[Tue Jun 28 15:21:20.792788 2022] [mime_magic:error] [pid 25154] (2)No such file or directory: AH01515: mod_mime_magic: can't read magic file /web/conf/magic
[Tue Jun 28 15:21:20.792954 2022] [ssl:emerg] [pid 25154] AH02231: No SSL protocols available [hint: SSLProtocol]
[Tue Jun 28 15:21:20.792963 2022] [ssl:emerg] [pid 25154] AH02311: Fatal error initialising mod_ssl, exiting. See /usr/local/apache2/logs/error_log for more information
AH00016: Configuration Failed

The ciper suites and protocols in /web/templates/httpd-ssl.conf.templ  before the change were these:

SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5

SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2

We fixed the issue by replacing the httpd-ssl.conf.templ by the original one. We want to delete weak ciphers and protocols but the apache server must be running afther that.

Any advices?

Thanks a lot

Fran

0 Kudos
4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2022-06-28 08:48 AM

I recall having this exact problem in R80.40 in lab sms and when I upgraded to R81.10, it went away.

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-28 10:16 AM

If an sk tells you to do something and it doesn't work, best to open a TAC case.

0 Kudos
Meaning
Explorer
‎2022-06-29 06:12 AM

It seems I found the solution. The changes you have to do in /web/templates/httpd-ssl.conf.templ file (acoording the sk I mentioned), should be done in /web/conf/extra/httpd-ssl.conf as well. After restart HTTPD daemon the Apache process restart and keeps stable.

Regards

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-06-29 06:39 AM
In response to Meaning

Wrong - see the SK:

7. Save the changes in the file and exit Vi editor.

8. Remove the 'write' permission from the /web/templates/httpd-ssl.conf.templ file:

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# chmod u-w /web/templates/httpd-ssl.conf.templ

[Expert@HostName:0]# ls -l /web/templates/httpd-ssl.conf.templ

9. Update the current configuration of the HTTPD daemon based on the modified configuration template:

[Expert@HostName:0]# /bin/template_xlate : /web/templates/httpd-ssl.conf.templ /web/conf/extra/httpd-ssl.conf < /config/active

10. Restart the HTTPD daemon:

[Expert@HostName:0]# tellpm process:httpd2

[Expert@HostName:0]# tellpm process:httpd2 t

--> So changing /web/conf/extra/httpd-ssl.conf by hand is not suggested !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events