httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From karl karloff <karlkarl...@hotmail.com>
Subject RE: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
Date Tue, 16 Jun 2015 17:57:21 GMT
I must have mistyped my config.

Assuming a config such as the following
<VirtualHost sslv3.example.com:443>
SSLProtocol     -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
...

If I restart apache, and then try to test that (the --insecure is for a self-signed cert):

$ curl https://sslv3.example.com --insecure --tlsv1.0
<html><body><h1>It works!</h1></body></html>

Shouldn't it fail and not negotiate that?

Thanks,
Karl

----------------------------------------
> Date: Tue, 16 Jun 2015 11:17:22 +0200
> From: sarkofage77@gmail.com
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>
> Hi,
>
> Have you tested with the "+"?
>
> from docs :
> Syntax:SSLProtocol [+|-]protocol ...
>
> ex :
> <VirtualHost www.example.com:443>
> SSLProtocol +TLSv1.2
> ...
> </VirtualHost>
> <VirtualHost old.example.com:443>
> SSLProtocol +SSLv3
> ...
> </VirtualHost>
>
>
>
> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and
SSLCipherSuite that affects only a singular VirtualHost?
>>
>> e.g.
>> www.example.com requires modern encryption (i.e. TLSv1.2)
>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>
>> I tried using something like
>>
>> <VirtualHost www.example.com:443>
>> SSLProtocol TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol SSLv3
>> ...
>> </VirtualHost>
>>
>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost
section.
>>
>> Is there a way to configure this properly so that individual VirtualHosts honor only
the specified protocols? Can the same method be used for SSLCipherSuite?
>>
>> Thanks,
>> Karl
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message