Mailing List Archive

VirtualHosts, SSLProtocol, and SSLCipherSuite
Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?

e.g.
www.example.com requires modern encryption (i.e. TLSv1.2)
old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)

I tried using something like

<VirtualHost www.example.com:443>
SSLProtocol    TLSv1.2
...
</VirtualHost>
<VirtualHost old.example.com:443>
SSLProtocol    SSLv3
...
</VirtualHost>

however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.

Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols?  Can the same method be used for SSLCipherSuite?

Thanks,
Karl

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
Hi,

Have you tested with the "+"?

from docs :
Syntax:SSLProtocol [+|-]protocol ...

ex :
<VirtualHost www.example.com:443>
SSLProtocol +TLSv1.2
...
</VirtualHost>
<VirtualHost old.example.com:443>
SSLProtocol +SSLv3
...
</VirtualHost>



On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?
>
> e.g.
> www.example.com requires modern encryption (i.e. TLSv1.2)
> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>
> I tried using something like
>
> <VirtualHost www.example.com:443>
> SSLProtocol TLSv1.2
> ...
> </VirtualHost>
> <VirtualHost old.example.com:443>
> SSLProtocol SSLv3
> ...
> </VirtualHost>
>
> however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.
>
> Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols? Can the same method be used for SSLCipherSuite?
>
> Thanks,
> Karl
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
I must have mistyped my config.

Assuming a config such as the following
<VirtualHost sslv3.example.com:443>
SSLProtocol     -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
...

If I restart apache, and then try to test that (the --insecure is for a self-signed cert):

$ curl https://sslv3.example.com --insecure --tlsv1.0
<html><body><h1>It works!</h1></body></html>

Shouldn't it fail and not negotiate that?

Thanks,
Karl

----------------------------------------
> Date: Tue, 16 Jun 2015 11:17:22 +0200
> From: sarkofage77@gmail.com
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>
> Hi,
>
> Have you tested with the "+"?
>
> from docs :
> Syntax:SSLProtocol [+|-]protocol ...
>
> ex :
> <VirtualHost www.example.com:443>
> SSLProtocol +TLSv1.2
> ...
> </VirtualHost>
> <VirtualHost old.example.com:443>
> SSLProtocol +SSLv3
> ...
> </VirtualHost>
>
>
>
> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?
>>
>> e.g.
>> www.example.com requires modern encryption (i.e. TLSv1.2)
>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>
>> I tried using something like
>>
>> <VirtualHost www.example.com:443>
>> SSLProtocol TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol SSLv3
>> ...
>> </VirtualHost>
>>
>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.
>>
>> Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols? Can the same method be used for SSLCipherSuite?
>>
>> Thanks,
>> Karl
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
Hi,

In my lab's :

serv:
<VirtualHost *:443>
...
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLProtocol -All +SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 ###( I added
TLSv1.2 to test)
...

client:
#curl https://w1 --insecure --tlsv1.0
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

#curl https://w1 --insecure --tlsv1.1
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

#curl https://w1 --insecure --tlsv1.2
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

It's ok.

On Tue, Jun 16, 2015 at 7:57 PM, karl karloff <karlkarloff@hotmail.com> wrote:
> I must have mistyped my config.
>
> Assuming a config such as the following
> <VirtualHost sslv3.example.com:443>
> SSLProtocol -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
> ...
>
> If I restart apache, and then try to test that (the --insecure is for a self-signed cert):
>
> $ curl https://sslv3.example.com --insecure --tlsv1.0
> <html><body><h1>It works!</h1></body></html>
>
> Shouldn't it fail and not negotiate that?
>
> Thanks,
> Karl
>
> ----------------------------------------
>> Date: Tue, 16 Jun 2015 11:17:22 +0200
>> From: sarkofage77@gmail.com
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>>
>> Hi,
>>
>> Have you tested with the "+"?
>>
>> from docs :
>> Syntax:SSLProtocol [+|-]protocol ...
>>
>> ex :
>> <VirtualHost www.example.com:443>
>> SSLProtocol +TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol +SSLv3
>> ...
>> </VirtualHost>
>>
>>
>>
>> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
>>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?
>>>
>>> e.g.
>>> www.example.com requires modern encryption (i.e. TLSv1.2)
>>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>>
>>> I tried using something like
>>>
>>> <VirtualHost www.example.com:443>
>>> SSLProtocol TLSv1.2
>>> ...
>>> </VirtualHost>
>>> <VirtualHost old.example.com:443>
>>> SSLProtocol SSLv3
>>> ...
>>> </VirtualHost>
>>>
>>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.
>>>
>>> Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols? Can the same method be used for SSLCipherSuite?
>>>
>>> Thanks,
>>> Karl
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
On Tue, Jun 16, 2015 at 1:57 PM, karl karloff <karlkarloff@hotmail.com> wrote:
> <VirtualHost sslv3.example.com:443>

AIUI This VH style is not used much and could be contributing. If you
don't care what underlying interface/IP is used, use *:443 and
ServerName inside. Otherwise, use the local interface address/IP and
ServerName inside.


--
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
I am attempting to set up more than one subdomain on :443 in this example.

so something like
sslv3.example.com:443 responds with SSLv3 only
tlsv1.example.com:443 responds with TLSv1.0 only
...

I wasn't aware that could be achieved using the ServerName directive.

The underlying IP/interface should be the same for all subdomains, but each subdomain responds by accepting only a single SSLProtocol.

Does that make sense?

Thanks,
Karl

----------------------------------------
> Date: Tue, 16 Jun 2015 16:08:36 -0400
> From: covener@gmail.com
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>
> On Tue, Jun 16, 2015 at 1:57 PM, karl karloff <karlkarloff@hotmail.com> wrote:
>> <VirtualHost sslv3.example.com:443>
>
> AIUI This VH style is not used much and could be contributing. If you
> don't care what underlying interface/IP is used, use *:443 and
> ServerName inside. Otherwise, use the local interface address/IP and
> ServerName inside.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
On Tue, Jun 16, 2015 at 10:48 PM, karl karloff <karlkarloff@hotmail.com> wrote:
> I am attempting to set up more than one subdomain on :443 in this example.
>
> so something like
> sslv3.example.com:443 responds with SSLv3 only
> tlsv1.example.com:443 responds with TLSv1.0 only
> ...
>
> I wasn't aware that could be achieved using the ServerName directive.
>
> The underlying IP/interface should be the same for all subdomains, but each subdomain responds by accepting only a single SSLProtocol.
>
> Does that make sense?

It does, however there is a limitation currently in OpenSSL in that it
can't renegotiate the protocol.
Hence this configuration will work only with browsers/clients
supporting (and advertising) the Server Name Indication (SNI), which
allows to select the correct VirtualHost before the negotiation
occurs.
Otherwise, Apache HTTPd will have to negotiate before being able to
read the requested Host header, and hence determine the VirtualHost.
Thus it will do the negotiation occording to the parameters (protocol,
ciphers, ...) of the first vhost declared on the listening IP:port.
If finally the determined vhost is not the one used for the
negotiation, it will ask for a renegotiation which, as said above,
won't take the SSLProtocol into consideration due to OpenSSL not being
able to do that (the SSLCipherSuite can be renegotiated though).

So all should be fine with SNI only.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
So that does not actually help in the case of SSLv3 because SNI is an extension to TLS.  It seems like this is not possible in Apache given the usage of OpenSSL as the SSL/TLS library.

Does that sum it up?

Thanks,
Karl

----------------------------------------
> Date: Tue, 16 Jun 2015 23:54:39 +0200
> From: ylavic.dev@gmail.com
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>
> On Tue, Jun 16, 2015 at 10:48 PM, karl karloff <karlkarloff@hotmail.com> wrote:
>> I am attempting to set up more than one subdomain on :443 in this example.
>>
>> so something like
>> sslv3.example.com:443 responds with SSLv3 only
>> tlsv1.example.com:443 responds with TLSv1.0 only
>> ...
>>
>> I wasn't aware that could be achieved using the ServerName directive.
>>
>> The underlying IP/interface should be the same for all subdomains, but each subdomain responds by accepting only a single SSLProtocol.
>>
>> Does that make sense?
>
> It does, however there is a limitation currently in OpenSSL in that it
> can't renegotiate the protocol.
> Hence this configuration will work only with browsers/clients
> supporting (and advertising) the Server Name Indication (SNI), which
> allows to select the correct VirtualHost before the negotiation
> occurs.
> Otherwise, Apache HTTPd will have to negotiate before being able to
> read the requested Host header, and hence determine the VirtualHost.
> Thus it will do the negotiation occording to the parameters (protocol,
> ciphers, ...) of the first vhost declared on the listening IP:port.
> If finally the determined vhost is not the one used for the
> negotiation, it will ask for a renegotiation which, as said above,
> won't take the SSLProtocol into consideration due to OpenSSL not being
> able to do that (the SSLCipherSuite can be renegotiated though).
>
> So all should be fine with SNI only.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
Maybe mod_gnutls or libressl (working with patched mod_ssl, available
in trunk but not yet backported) can do better here, I don't know
enough about them to tell.

Regards,
Yann.

On Wed, Jun 17, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
> So that does not actually help in the case of SSLv3 because SNI is an extension to TLS. It seems like this is not possible in Apache given the usage of OpenSSL as the SSL/TLS library.
>
> Does that sum it up?
>
> Thanks,
> Karl
>
> ----------------------------------------
>> Date: Tue, 16 Jun 2015 23:54:39 +0200
>> From: ylavic.dev@gmail.com
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>>
>> On Tue, Jun 16, 2015 at 10:48 PM, karl karloff <karlkarloff@hotmail.com> wrote:
>>> I am attempting to set up more than one subdomain on :443 in this example.
>>>
>>> so something like
>>> sslv3.example.com:443 responds with SSLv3 only
>>> tlsv1.example.com:443 responds with TLSv1.0 only
>>> ...
>>>
>>> I wasn't aware that could be achieved using the ServerName directive.
>>>
>>> The underlying IP/interface should be the same for all subdomains, but each subdomain responds by accepting only a single SSLProtocol.
>>>
>>> Does that make sense?
>>
>> It does, however there is a limitation currently in OpenSSL in that it
>> can't renegotiate the protocol.
>> Hence this configuration will work only with browsers/clients
>> supporting (and advertising) the Server Name Indication (SNI), which
>> allows to select the correct VirtualHost before the negotiation
>> occurs.
>> Otherwise, Apache HTTPd will have to negotiate before being able to
>> read the requested Host header, and hence determine the VirtualHost.
>> Thus it will do the negotiation occording to the parameters (protocol,
>> ciphers, ...) of the first vhost declared on the listening IP:port.
>> If finally the determined vhost is not the one used for the
>> negotiation, it will ask for a renegotiation which, as said above,
>> won't take the SSLProtocol into consideration due to OpenSSL not being
>> able to do that (the SSLCipherSuite can be renegotiated though).
>>
>> So all should be fine with SNI only.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: VirtualHosts, SSLProtocol, and SSLCipherSuite [ In reply to ]
hello hello hello,

i recently posted a similar issue with the topic "Weirdo intepretation
of SSLprotocol order" on this distlist (may 7th 2015)

I found that (at least on) Apache 2.2.29 64bit Prefork, the sslProtocol
order is only challenged once for the whole server, that is the first
occurence to appear. I think this is your problem too...

Someone asked me to build a backported dist of httpd, or at least a
patch.. however, time never got to me...

The general solution seems to be running httpd 2.4.13+, but its unclear
to me, whether the problem resides in openssl maybe.. however, its not
fixed out of the blue. And i know, this doesnt answer your question, but
it may make things a little clearer :)


br
Congo


On 2015-06-17 00:37, karl karloff wrote:
> So that does not actually help in the case of SSLv3 because SNI is an
> extension to TLS.  It seems like this is not possible in Apache given
> the usage of OpenSSL as the SSL/TLS library.
>
> Does that sum it up?
>
> Thanks,
> Karl
>
> ----------------------------------------
>> Date: Tue, 16 Jun 2015 23:54:39 +0200
>> From: ylavic.dev@gmail.com
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and
>> SSLCipherSuite
>>
>> On Tue, Jun 16, 2015 at 10:48 PM, karl karloff
>> <karlkarloff@hotmail.com> wrote:
>>> I am attempting to set up more than one subdomain on :443 in this
>>> example.
>>>
>>> so something like
>>> sslv3.example.com:443 responds with SSLv3 only
>>> tlsv1.example.com:443 responds with TLSv1.0 only
>>> ...
>>>
>>> I wasn't aware that could be achieved using the ServerName directive.
>>>
>>> The underlying IP/interface should be the same for all subdomains,
>>> but each subdomain responds by accepting only a single SSLProtocol.
>>>
>>> Does that make sense?
>>
>> It does, however there is a limitation currently in OpenSSL in that it
>> can't renegotiate the protocol.
>> Hence this configuration will work only with browsers/clients
>> supporting (and advertising) the Server Name Indication (SNI), which
>> allows to select the correct VirtualHost before the negotiation
>> occurs.
>> Otherwise, Apache HTTPd will have to negotiate before being able to
>> read the requested Host header, and hence determine the VirtualHost.
>> Thus it will do the negotiation occording to the parameters (protocol,
>> ciphers, ...) of the first vhost declared on the listening IP:port.
>> If finally the determined vhost is not the one used for the
>> negotiation, it will ask for a renegotiation which, as said above,
>> won't take the SSLProtocol into consideration due to OpenSSL not being
>> able to do that (the SSLCipherSuite can be renegotiated though).
>>
>> So all should be fine with SNI only.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org