httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noway Priv <sarkofag...@gmail.com>
Subject Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
Date Tue, 16 Jun 2015 19:53:08 GMT
Hi,

In my lab's :

serv:
<VirtualHost *:443>
...
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/apache.key
        SSLProtocol -All +SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2  ###( I added
TLSv1.2 to test)
...

client:
#curl https://w1 --insecure --tlsv1.0
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

#curl https://w1 --insecure --tlsv1.1
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol

#curl https://w1 --insecure --tlsv1.2
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>

It's ok.

On Tue, Jun 16, 2015 at 7:57 PM, karl karloff <karlkarloff@hotmail.com> wrote:
> I must have mistyped my config.
>
> Assuming a config such as the following
> <VirtualHost sslv3.example.com:443>
> SSLProtocol     -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
> ...
>
> If I restart apache, and then try to test that (the --insecure is for a self-signed cert):
>
> $ curl https://sslv3.example.com --insecure --tlsv1.0
> <html><body><h1>It works!</h1></body></html>
>
> Shouldn't it fail and not negotiate that?
>
> Thanks,
> Karl
>
> ----------------------------------------
>> Date: Tue, 16 Jun 2015 11:17:22 +0200
>> From: sarkofage77@gmail.com
>> To: users@httpd.apache.org
>> Subject: Re: [users@httpd] VirtualHosts, SSLProtocol, and SSLCipherSuite
>>
>> Hi,
>>
>> Have you tested with the "+"?
>>
>> from docs :
>> Syntax:SSLProtocol [+|-]protocol ...
>>
>> ex :
>> <VirtualHost www.example.com:443>
>> SSLProtocol +TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol +SSLv3
>> ...
>> </VirtualHost>
>>
>>
>>
>> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@hotmail.com> wrote:
>>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol
and SSLCipherSuite that affects only a singular VirtualHost?
>>>
>>> e.g.
>>> www.example.com requires modern encryption (i.e. TLSv1.2)
>>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>>
>>> I tried using something like
>>>
>>> <VirtualHost www.example.com:443>
>>> SSLProtocol TLSv1.2
>>> ...
>>> </VirtualHost>
>>> <VirtualHost old.example.com:443>
>>> SSLProtocol SSLv3
>>> ...
>>> </VirtualHost>
>>>
>>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost
section.
>>>
>>> Is there a way to configure this properly so that individual VirtualHosts honor
only the specified protocols? Can the same method be used for SSLCipherSuite?
>>>
>>> Thanks,
>>> Karl
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message