httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55707] New: SSLProtocol directive seem to be ignored over different virtualhosts on the same ip+port
Date Fri, 25 Oct 2013 19:35:22 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55707

            Bug ID: 55707
           Summary: SSLProtocol directive seem to be ignored over
                    different virtualhosts on the same ip+port
           Product: Apache httpd-2
           Version: 2.4.6
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: cf0hay@gmail.com

I have more than one virtualhosts configured over the same IP address and port.
The first one has these directives (uses RSA):

SSLProtocol TLSv1.2 +TLSv1.1 +TLSv1
SSLCipherSuite
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DES-CBC3-SHA

The second one only these (uses EC):

SSLProtocol TLSv1.2
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA
SSLStrictSNIVHostCheck on

Non-SNI clients get 403 properly. But if a client supports SNI, and negotiates
with TLSv1.1 or TLSv1, the request will be accepted and the page served. With
an SNI client, the SSLCipherSuite list will get used properly, but the
SSLProtocol directive is totally ignored. From the ClientHello the
SNI-capability can be detected, so does the used protocol version. TLS
negotiation should be denied the same way if there is no common protocol
version as it would without common ciphers.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message