How to Fix “Invalid Command SSLOpenSSLConfCmd” Error When Hardening Apache 2.2.16 Against Logjam Vulnerability


8 views

The SSLOpenSSLConfCmd directive was introduced in Apache 2.4.8 and isn't available in your Apache 2.2.16 version. This explains why you're getting the syntax error when trying to implement Logjam mitigation.

For Apache 2.2.x, we need to use the SSLCipherSuite directive combined with generating proper DH parameters:

# First generate new DH parameters (2048-bit recommended)
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048

Edit your SSL virtual host configuration:

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/key.pem
    SSLCertificateChainFile /path/to/chain.pem
    
    # Disable weak ciphers and enable modern ones
    SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
    
    SSLProtocol all -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    
    # For Apache 2.2, use this instead of SSLOpenSSLConfCmd
    SSLOptions +StdEnvVars
</VirtualHost>

After making changes, always test your configuration:

apachectl configtest
service apache2 reload

Use this command to verify your DH parameter strength:

openssl s_client -connect yourdomain.com:443 -cipher "EDH" | grep "Server Temp Key"
  • Consider upgrading to a newer Apache version (2.4+) for better security features
  • The above cipher suite provides a good balance between security and compatibility
  • Regularly regenerate your DH parameters (every 6-12 months)

Here's a full working example for Debian systems:

# Install required packages
apt-get install openssl

# Generate DH parameters
openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
chmod 600 /etc/ssl/certs/dhparams.pem

# Configure Apache
cat > /etc/apache2/mods-available/ssl.conf << 'EOF'
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/apache2/ssl_mutex

# Modern SSL configuration
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
EOF

# Restart Apache
service apache2 restart

When attempting to mitigate the Logjam vulnerability on an Apache 2.2.16 server (Debian), you might encounter this error:

Syntax error on line 18 of /etc/apache2/sites-enabled/000-default:
Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
Action 'configtest' failed.

This occurs when adding the recommended DH parameters configuration:

SSLOpenSSLConfCmd DHParameters /etc/ssl/certs/dhparams.pem

The SSLOpenSSLConfCmd directive was introduced in Apache 2.4.8. Your server runs Apache 2.2.16, which doesn't support this command. The weakdh.org instructions assume a modern Apache version.

For older Apache versions, you need to:

  1. Generate DH parameters (if not already done):
    2. openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
  2. Configure SSL to use these parameters by modifying your SSL configuration:
    3. SSLEngine on
SSLCertificateFile /path/to/your/cert.pem
SSLCertificateKeyFile /path/to/your/privkey.pem
SSLCertificateChainFile /path/to/your/chain.pem

# For Apache 2.2:
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK"
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on

After making these changes:

apache2ctl configtest
service apache2 restart

Test your configuration using:

openssl s_client -connect yourdomain.com:443 -cipher "EDH" | grep "Server Temp Key"

You should see output indicating a 2048-bit DH parameter is being used.

  • Consider upgrading to a supported Apache version (2.4.8+)
  • Ensure your DH parameters file has proper permissions (root:root 644)
  • This solution maintains compatibility while addressing Logjam