Invalid command ‘SSLEngine’, perhaps misspelled or defined by a module not included in the server configuration – enable apache ssl module

Invalid command ‘SSLEngine’, perhaps misspelled or defined by a module not included in the server configuration – enable apache ssl module

If you are moving an existing Apache configuration file from one server to another,  or if you are enabling SSL configuration on an existing website,  you could run into this error as you restart apache

server#/etc/init.d/apache2 restart
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration

This essentially means that Apache doesn’t understand what the SSLEngine command means.   This is most likely because SSL has not been enabled on this server.  For quite some time SSL has come with Apache2 by default,  however you do still have to enable it.

To enable it you can simply run enable the ‘ssl’ apache module the command

#a2enmod ssl
#/etc/init.d/apache2 reload #or
#/etc/init.d/apache2 restart

The error should no longer show a the SSLEngine command is correctly recognized by the ssl mod.

SSL Cipher Suites – Apache config for IE 11

SSL Cipher Suites – Apache config for IE 11

In past posts I showed how I had followed some suggestions from qualsys on configuring Apache to only use specific ciphers in order to pass all of the required security scans.

However it turns out that blindly using their list of Ciphers led to another problem,   (displaying the page in IE 11) which I describe the fix to below.

In addition though,   the process I go through below,  can / will help you trouble shoot and possibly find and enable / disable the Ciphers for any situation and browser.

On this page:
https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy

They suggest setting this SSLCipherSuite:

 EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

However I found IE 11 was showing “This web page can not be displayed” on Windows 7 and Windows 2008 Server (probably others as well),

I figured out that the problem was the CipherSuite, by commenting out the SSLCipherSuite line in apache, restarting, and the page loaded.

So the next step was to , with the line commented out, to run the ssllabs test with the SSLCipherSuite commented out,
https://www.ssllabs.com/ssltest/

the result of which I found to show some details about the CipherSuites used by different browsers. I would use this tool to make sure you have the correct CipherSuite for any, all browsers and exclude any older insecure browsers.

If you look down the report to the “Handshake Simulation portion of the report you will find a listing of browsers with the Cipher they used. IE 11/ Win 7 was working EVEN BEFORE noticed the ‘can not be displayed’ error, so I went on a hunch and decided to try and enable the IE 8-10 / Win 7 option which showed

 TLS_RSA_WITH_AES_256_CBC_SHA

I googled “openssl TLS_RSA_WITH_AES_256_CBC_SHA” which brought me to the openssl page where they show all of the ciphers and on this page I found “AES256-SHA” which I needed to include in the Apache SSLCipherSuite directive

https://www.openssl.org/docs/apps/ciphers.html

Next, to confirm that this cipher is even available on my server, i ran this command

openssl cipher AES256-SHA

which returned a result showing that the cipher was indeed an option on the server

So, I added it towards the end, and the resulting SSLCipherSuite directive I have is:

SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA AES256-SHA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"

And now I can load the webpage in the IE 11 browser.

Note that when I ran the ssllabs.com test again, it downgraded the site to an A- probably because the cipher did not offer Forward Secrecy (notated with a small orange ‘No FS’) on the report,

I decided that this is an okay grade in order to allow IE 11 to access the site, but hopefully Microsoft figures it out.

SSL Vulnerability and Problem Test – Online and Command Line

SSL Vulnerability and Problem Test – Online and Command Line

There are many vulnerabilities out there,  and there seems to be no single test for all of them.

When working to correct SSL issues, some of the more comprensive tests, test EVERYTHING,  while this is good,  it can also make it difficult to test the smaller incremental changes that we make as system administrators make

This blog post is a way to collect and keep a resource in one place of links or methods we can use to quickly test individual failures

The big test,  which only takes a minute or so,  but is somewhat bloated for individual tests,  is ssllabs.com.   You will find out most failures here and even get a grade

http://ssllabs.com

But you wont find them all,  and it is difficult to quickly test small changes.  So here are some instant tests.

if you have an SSL Chain issue

openssl s_client -connect example.com:443

to test for CVE-2014-0224, otherwise know n as a CCS Injection vulnerability enter your domain here

http://ccsbug.exposed/

to test for CVE-2014-0160 or Heartbleed test or

http://possible.lv/tools/hb/

Verify ssl certificate chain using openssl

Verify ssl certificate chain using openssl

SSL Certificates ‘usually’ work and show ‘green’ in  browsers,    even if the full certificate chain is not correctly configured in apache.

You can use tools such as SSL Labs (link) or run a PCI ASV check on your site to find out if you are compliant,  but a quicker way to do it is using openssl from the command link.

Using this command you can quickly verify your SSL Certificate and Certificate chain from you linux command line using openssl

openssl s_client -showcerts -connect mydomain.com:443

If you receive a line,  ‘Verify return code: 0 ‘ at the end of the long out put,  your chain is working,  however you might receive an error 27 if it is not configured correctly.

In order to configure it correctly you will like need an line in your apache conf file

 SSLCACertificateFile <yourCAfilename>

In addition to the files which list your Key and Cert file

SSLCertificateFile <yourcertfilename>
SSLCertificateKeyFile <yourkeyfilename>
Call Now Button(208) 344-1115

SIGN UP TO
GET OUR 
FREE
 APP BLUEPRINT

Join our email list

and get your free whitepaper