LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-23-2010, 04:52 PM   #1
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Rep: Reputation: 15
Apache 2.2.14 ignores SSL Cipher in Virtual Host


Folks,

I'm trying to figure out why Apache is ignoring SSL Cipher statements when placed inside a Virtual Host. Specifically I'm trying to disable SSLv2 and only allow SSLv3 or TLSv1

In httpd-ssl.conf I have the following

Code:
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLCipherSuite -ALL:!ADH:!SSLv2:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+EXP:!eNULL:!NULL
And when I try and connect, I get the expected results.

Quote:
[root@theoden extra]# openssl s_client -connect localhost:443 -ssl2socket: Connection refused
connect:errno=29
In my virtual host statement I have

Code:
<VirtualHost 192.168.5.5:443>
DocumentRoot /www/htdocs/widget
ServerName widget.domain.com
ServerAlias widget.domain.com
<FilesMatch "\.(ico|js|jpg|jpeg|css|gif)$">
        ExpiresActive On
        ExpiresDefault "access plus 1 month"
</FilesMatch>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv3:+TLSv1:-SSLv2:!EXP:!eNULL
SSLCertificateFile /www/conf/_.domain.com.crt
SSLCertificateKeyFile /www/conf/domain.com.key
SSLCertificateChainFile /www/conf/gd_bundle.crt
<Directory "/www/htdocs/widget">
allow from all
Options -Indexes
</Directory>
ServerAdmin admin@domain.com
ErrorLog /www/logs/widget.domain.com-error_log
CustomLog /www/logs/widget.domain.com-access_log common
</VirtualHost>
However when I try and test it with openssl s_client -connect widget.domain.com:443 -ssl2

No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1452 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
<snip>
[/quote]

The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL. However if I try and change the ALL statement in the virtual host entry to -ALL I get the following error in my logs & get no content.

Quote:
[Tue Feb 23 14:48:50 2010] [error] Unable to configure permitted SSL ciphers
[Tue Feb 23 14:48:50 2010] [error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

Any idea why it's not working in the virtual host statement? Unfortunately as many of you are probably aware it's impossible to gain PCI certification with SSLv2 enabled.
 
Old 02-23-2010, 05:55 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by Jukas
The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL.
That's not true. If you look carefully, you will see there are numerous syntactical differences.

FWIW, I use the following:
Code:
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
 
Old 02-23-2010, 06:34 PM   #3
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by anomie View Post
That's not true. If you look carefully, you will see there are numerous syntactical differences.
Thanks for the feedback, but really the differences are in httpd-ssl.conf it was defined using - and in the virtual host it was defined using !. According to the documentation I've read, both are equally acceptable.

Quote:
Originally Posted by anomie View Post
FWIW, I use the following:
Code:
SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW
I tried using your example in both httpd-ssl.conf and the virtual host and the behavioral issue is still the same. When I query against localhost I get SSLv2 refused, when I query against the domain in the virtual host I get a SSLv2 connection.

So the base issue remains, SSLCipherSuite is still being ignored in Virtual Hosts.
 
Old 02-23-2010, 06:37 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Did you also add the SSLProtocol directive to the virtualhost?
 
Old 03-02-2010, 01:15 AM   #5
Jukas
Member
 
Registered: Mar 2005
Posts: 141

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by anomie View Post
Did you also add the SSLProtocol directive to the virtualhost?
I tried it both with and without he SSLProtocol in the virtual host file. In all cases is still allows SSLv2 connections at the host level and denies them against localhost.
 
Old 03-02-2010, 04:44 PM   #6
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
All I will add is that there is nothing magical about the virtualhost container that should prevent this from working. I'd suggest (while troubleshooting) that you fire up a test Apache system, copy/paste and test exact known-working lines into a virtualhost there, and confirm that it all works. Once that has been proven, you can begin eliminating possible problems one at a time on your borked installation.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache disable SSL on a virtual host cashton2k Linux - Server 2 01-22-2010 04:17 AM
Solutions to Apache SSL Virtual Host woes (for dynamic IP too) Silly22 Linux - Software 2 10-14-2009 05:07 PM
Apache with wildcard SSL and virtual host crispytwo Linux - Server 2 04-28-2009 08:56 PM
Apache 2 / SSL and virtual host under GNU/Linux Debian Etch - http and https scls19fr Linux - Server 0 10-09-2008 10:11 AM
Apache SSL - how to virtual host two or more secure websites on the same machine? bjoshi Linux - Networking 0 08-30-2001 07:01 PM


All times are GMT -5. The time now is 09:05 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration