Apache 2.2.14 ignores SSL Cipher in Virtual Host

Jukas · 02-23-2010, 04:52 PM

Folks,

I'm trying to figure out why Apache is ignoring SSL Cipher statements when placed inside a Virtual Host. Specifically I'm trying to disable SSLv2 and only allow SSLv3 or TLSv1

In httpd-ssl.conf I have the following

Code:

SSLProtocol -ALL +SSLv3 +TLSv1 -SSLv2
SSLCipherSuite -ALL:!ADH:!SSLv2:!EXPORT56:RC4+RSA:+HIGH:-MEDIUM:-LOW:+SSLv3:+EXP:!eNULL:!NULL

And when I try and connect, I get the expected results.

Quote:

[root@theoden extra]# openssl s_client -connect localhost:443 -ssl2socket: Connection refused
connect:errno=29

In my virtual host statement I have

Code:

<VirtualHost 192.168.5.5:443>
DocumentRoot /www/htdocs/widget
ServerName widget.domain.com
ServerAlias widget.domain.com
<FilesMatch "\.(ico|js|jpg|jpeg|css|gif)$">
        ExpiresActive On
        ExpiresDefault "access plus 1 month"
</FilesMatch>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:!MEDIUM:!LOW:+SSLv3:+TLSv1:-SSLv2:!EXP:!eNULL
SSLCertificateFile /www/conf/_.domain.com.crt
SSLCertificateKeyFile /www/conf/domain.com.key
SSLCertificateChainFile /www/conf/gd_bundle.crt
<Directory "/www/htdocs/widget">
allow from all
Options -Indexes
</Directory>
ServerAdmin admin@domain.com
ErrorLog /www/logs/widget.domain.com-error_log
CustomLog /www/logs/widget.domain.com-access_log common
</VirtualHost>

However when I try and test it with openssl s_client -connect widget.domain.com:443 -ssl2

No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1452 bytes and written 236 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
<snip>
[/quote]

The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL. However if I try and change the ALL statement in the virtual host entry to -ALL I get the following error in my logs & get no content.

Quote:

[Tue Feb 23 14:48:50 2010] [error] Unable to configure permitted SSL ciphers
[Tue Feb 23 14:48:50 2010] [error] SSL Library Error: 336646329 error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

Any idea why it's not working in the virtual host statement? Unfortunately as many of you are probably aware it's impossible to gain PCI certification with SSLv2 enabled.

anomie · 02-23-2010, 05:55 PM

Quote:

Originally Posted by Jukas

The only difference between the two is the httpd-ssl.conf has -ALL in the CIPHER, and the virtual host entry has ALL.

That's not true. If you look carefully, you will see there are numerous syntactical differences.

FWIW, I use the following:

Code:

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW

Jukas · 02-23-2010, 06:34 PM

Quote:

Originally Posted by anomie

That's not true. If you look carefully, you will see there are numerous syntactical differences.

Thanks for the feedback, but really the differences are in httpd-ssl.conf it was defined using - and in the virtual host it was defined using !. According to the documentation I've read, both are equally acceptable.

Quote:

Originally Posted by anomie

FWIW, I use the following:

Code:

SSLProtocol All -SSLv2
SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW

I tried using your example in both httpd-ssl.conf and the virtual host and the behavioral issue is still the same. When I query against localhost I get SSLv2 refused, when I query against the domain in the virtual host I get a SSLv2 connection.

So the base issue remains, SSLCipherSuite is still being ignored in Virtual Hosts.

anomie · 02-23-2010, 06:37 PM

Did you also add the SSLProtocol directive to the virtualhost?

Jukas · 03-02-2010, 01:15 AM

Quote:

Originally Posted by anomie

Did you also add the SSLProtocol directive to the virtualhost?

I tried it both with and without he SSLProtocol in the virtual host file. In all cases is still allows SSLv2 connections at the host level and denies them against localhost.

anomie · 03-02-2010, 04:44 PM

All I will add is that there is nothing magical about the virtualhost container that should prevent this from working. I'd suggest (while troubleshooting) that you fire up a test Apache system, copy/paste and test exact known-working lines into a virtualhost there, and confirm that it all works. Once that has been proven, you can begin eliminating possible problems one at a time on your borked installation.