Connections Fail After Upgrading to Apache 2.4

Applications on unsupported versions of Windows may be unable to establish a secure connection to an Apache HTTP server after the server was upgraded to version 2.4. The same application was able to establish a secure connection with previous versions of the Apache server.

This error will only occur on older versions of Windows, such as Windows XP and Windows Vista, and only after the server was upgraded to the current version of Apache. Typically this corresponds to the server platform being upgraded, for example migrating from RedHat Enterprise Linux 6 to version 7 or 8.

The issue is related to support for TLS 1.2 on Windows XP, which protocol versions are enabled and the default cipher suites enabled for the current version of the Apache server. Support for TLS 1.2 is only available on Windows 7 and Windows Server 2008 R2 or later versions.

More Information

The Windows XP and Vista Schannel SSPI only supports TLS 1.0 and a limited selection of cipher suites, many of which are now considered to be insecure. Current versions of the Apache server will default to requiring modern encryption algorithms which are not supported by older versions of Windows. This results in the client being unable to negotiate a secure connection with the server.

The preferred solution is to encourage your users to upgrade to the current version of Windows, which has significantly improved security. However, if this is not an option, you can modify the server to allow connections using older versions of TLS and cipher suites which are compatible with Windows XP.

You will need to have the ability to change the configuration files on the server system, and these changes should only be done as a temporary measure until your users have upgraded to a supported version of Windows. Make sure you create backups before changing the server configuration.

To change the TLS version and cipher suites accepted by the Apache server, you will need to edit the SSL configuration file. If it is hosted on a Linux system, the exact location will vary based on which distribution it is running on. On RedHat based systems, it's typically found in /etc/httpd/conf.d/ssl.conf and on Debian systems in /etc/httpd/mods-available/ssl.conf.

The two configuration settings you're interested in are SSLProtocol and SSLCipherSuite. You may notice they are commented out (there's a hash symbol at the beginning of the line), which means the server will use the default values it was built with.

Change these settings to use the following values:

This tells the server you want to support all available versions of TLS and disable the use of SSL 3.0. Support for SSL 2.0 was removed entirely from Apache 2.4.

The values HIGH and 3DES in the list of supported cipher suites are aliases for groups of specific algorithms which are supported. It's the 3DES ciphers which allow older versions of Windows to successfully negotiate a connection. The values that have an exclamation mark in front of them are used to exclude specific ciphers.

You can find a comprehensive list of all of the TLS related settings in the Apache documentation.

See Also

Windows and Supported TLS Versions
Support for TLS 1.2 on Windows XP
Unable to Establish Security Context