Apache 2.2.14 ignores SSL Cipher in Virtual Host
Folks,
I'm trying to figure out why Apache is ignoring SSL Cipher statements when placed inside a Virtual Host. Specifically I'm trying to disable SSLv2 and only allow SSLv3 or TLSv1 In httpd-ssl.conf I have the following Code:
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2 Quote:
Code:
<VirtualHost 192.168.5.5:443> No client certificate CA names sent --- Ciphers common between both SSL endpoints: RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5 --- SSL handshake has read 1452 bytes and written 236 bytes --- New, SSLv2, Cipher is DES-CBC3-MD5 Server public key is 1024 bit Compression: NONE Expansion: NONE <snip> [/quote] The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL. However if I try and change the ALL statement in the virtual host entry to -ALL I get the following error in my logs & get no content. Quote:
Any idea why it's not working in the virtual host statement? Unfortunately as many of you are probably aware it's impossible to gain PCI certification with SSLv2 enabled. |
Quote:
FWIW, I use the following: Code:
SSLProtocol All -SSLv2 |
Quote:
Quote:
So the base issue remains, SSLCipherSuite is still being ignored in Virtual Hosts. |
Did you also add the SSLProtocol directive to the virtualhost?
|
Quote:
|
All I will add is that there is nothing magical about the virtualhost container that should prevent this from working. I'd suggest (while troubleshooting) that you fire up a test Apache system, copy/paste and test exact known-working lines into a virtualhost there, and confirm that it all works. Once that has been proven, you can begin eliminating possible problems one at a time on your borked installation.
|
All times are GMT -5. The time now is 11:37 PM. |