Folks,
I'm trying to figure out why Apache is ignoring SSL Cipher statements when placed inside a Virtual Host. Specifically I'm trying to disable SSLv2 and only allow SSLv3 or TLSv1
In httpd-ssl.conf I have the following
Code:
SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLCipherSuite -ALL:!ADH:!SSLv2:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+EXP:!eNULL:!NULL
And when I try and connect, I get the expected results.
Quote:
[root@theoden extra]# openssl s_client -connect localhost:443 -ssl2socket: Connection refused
connect:errno=29
|
In my virtual host statement I have
Code:
<VirtualHost 192.168.5.5:443>
DocumentRoot /www/htdocs/widget
ServerName widget.domain.com
ServerAlias widget.domain.com
<FilesMatch "\.(ico|js|jpg|jpeg|css|gif)$">
ExpiresActive On
ExpiresDefault "access plus 1 month"
</FilesMatch>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv3:+TLSv1:-SSLv2:!EXP:!eNULL
SSLCertificateFile /www/conf/_.domain.com.crt
SSLCertificateKeyFile /www/conf/domain.com.key
SSLCertificateChainFile /www/conf/gd_bundle.crt
<Directory "/www/htdocs/widget">
allow from all
Options -Indexes
</Directory>
ServerAdmin admin@domain.com
ErrorLog /www/logs/widget.domain.com-error_log
CustomLog /www/logs/widget.domain.com-access_log common
</VirtualHost>
However when I try and test it with openssl s_client -connect widget.domain.com:443 -ssl2
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1452 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
<snip>
[/quote]
The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL. However if I try and change the ALL statement in the virtual host entry to -ALL I get the following error in my logs & get no content.
Quote:
[Tue Feb 23 14:48:50 2010] [error] Unable to configure permitted SSL ciphers
[Tue Feb 23 14:48:50 2010] [error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
|
Any idea why it's not working in the virtual host statement? Unfortunately as many of you are probably aware it's impossible to gain PCI certification with SSLv2 enabled.