httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Pasher <just...@newmediagateway.com>
Subject Re: [users@httpd] Using SSLCipherSuite to restrict to faster cipher algorithms
Date Thu, 17 Dec 2009 17:21:24 GMT
Fran├žois Beaune wrote:
> On Wed, Dec 16, 2009 at 7:00 PM, Justin Pasher 
> <justinp@newmediagateway.com <mailto:justinp@newmediagateway.com>> wrote:
>
> [snip]
>
>     Here is the SSLCipherSuite directive that I use on my servers to
>     lock out insecure ciphers:
>
>     SSLCipherSuite AES256-SHA:DES-CBC3-SHA:AES128-SHA:RC4-SHA:RC4-MD5
>
>
> I'm still getting the same list, even if I use the SSLCipherSuite you 
> suggested, so it's clearly not used.
>
> On my side (in my subdomain's configuration), I only have one 
> SSLCipherSuite occurrence, inside the <VirtualHost> container I shown 
> earlier in this thread (and it's not in a <Location> or <Directory> 
> container).
>
> That being said, in /etc/httpd/conf.d/ssl.conf, there is another 
> occurrence:
>
>     <VirtualHost _default_:443>
>         ...
>         SSLEngine on
>         SSLProtocol all -SSLv2
>         SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
>         ...
>     </VirtualHost>
>
> Shouldn't my configuration file have precedence over that?

So now we know how Firefox is still using AES256. It's just a matter of 
figuring out why the SSLCipherSuite is not being used. The first thing 
I'd try is replacing the SSLCipherSuite directory you found above 
(inside the <VirtualHost _default_:443> container). If that fixes the 
problem, then you at least know where it's picking up the setting. As 
far as WHY it's hitting that VirtualHost container, Apache should be 
falling back to that one if there is no other matching <VirtualHost> 
container for the request. Looking back at the original post, I see this...

<VirtualHost XXX.XXX.XXX.XXX:443>
        ServerName svn.mydomain.net:443
...
</VirtualHost>

So I assume that the request is actually being made to the (masked) IP 
address XXX.XXX.XXX.XXX? One thought out from left field would be that 
the box has multiple IP addresses assigned and the request is actually 
hitting YYY.YYY.YYY.YYY instead of XXX.XXX.XXX.XXX, which would make it 
fall back to the default VirtualHost:443, I believe. Also, if you are 
trying to access the server via localhost, that would be coming from a 
different IP address (127.0.0.1), so it would also fall back to the 
default. Additional note: you don't need the ":443" on the ServerName.

Now, if changing the SSLCipherSuite in the default VirtualHost does NOT 
register the change, then it would sound like it's not hitting ANY of 
the VirtualHost containers that have SSLCipherSuite defined. If that 
really is the case, you could always put the SSLCipherSuite in the 
global scope as a last resort, but ideally you could figure out why it's 
not recognizing the setting.

-- 
Justin Pasher

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message