Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id AA54D200B50 for ; Fri, 29 Jul 2016 18:41:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id A8F0D160A79; Fri, 29 Jul 2016 16:41:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C5C28160A6E for ; Fri, 29 Jul 2016 18:41:05 +0200 (CEST) Received: (qmail 13410 invoked by uid 500); 29 Jul 2016 16:41:03 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 13399 invoked by uid 99); 29 Jul 2016 16:41:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Jul 2016 16:41:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id A7113C884F for ; Fri, 29 Jul 2016 16:41:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id 18BSQlStv0vC for ; Fri, 29 Jul 2016 16:41:00 +0000 (UTC) Received: from mail-wm0-f46.google.com (mail-wm0-f46.google.com [74.125.82.46]) by mx2-lw-us.apache.org (ASF Mail Server at mx2-lw-us.apache.org) with ESMTPS id 4206860E21 for ; Fri, 29 Jul 2016 16:41:00 +0000 (UTC) Received: by mail-wm0-f46.google.com with SMTP id o80so159928531wme.1 for ; Fri, 29 Jul 2016 09:41:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=7Uqkl5eUN24DuY3ie5sTWecQgZIgTjvkOmqlqV41Umg=; b=wYU0W4zkCqxlAsAkFLqR9mYlqBkt0zg0WONA1V/+mR3eLymGwJysTcsPlKcGj44cCv ikUHdjjNYnWHwYCasfUVEJivHoC7J7QfoFopektn+8fuIg1YXyu0WEGoz2U9/AO2zCnZ ztgeDgjQ0/jPlSAuNT337lmdG+ItiBOw0jid55bNFJFE9KxCczjUeIFG0UqanL6GNi3u fFEzLVnsITcoS4LrZ3fXwfv0ccEJkfBuezbVvMTArXpd+PACvKwGlX2leGCqGh1s8Jsj i5+dPB5ka5GQEPxG0fnj5wPpomWQO6VxGJrTS+ydt5lZQcHkp0CuBG6MQ9Jxc4F8lkTV MMWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=7Uqkl5eUN24DuY3ie5sTWecQgZIgTjvkOmqlqV41Umg=; b=MJaU4equCraPim3uHYU61sqdIJir0TvaxgVckpaYQN8/fyRzJ362QpbEjqmPVk9LNh gj44fp5ywjnQJys1mKC8t5BenKxh2pLaZxpky03VYPITfqIkock0YeBAEbuC7/rDtaKA d5hoxhtA9zvlfNaLCpv/5PL1tCFkmhRaam4gumGEYQfixBWgn792QJwm7BZiUTwxuoYU xhU0MDUXdDXVhTeg0p1d0jC+Xfxc+MXxLJq2My0Bw6p/7tEw7WIuWFDiaJbQSi5Vhmf0 reCXo3mHFaO51Fkg4Cfq4guMbNprlBxlD6RXqyvXvNDLTMWiZZO2XeC7svZHD7zxKH1s XVZg== X-Gm-Message-State: AEkooustEpeF5rgX4FBDF0fMSoGzypu188mXSqgqxQKi7OpXYG8Xi6w9sKD1SkwNl+GhvmSacUWdPipEawuOEw== X-Received: by 10.194.16.65 with SMTP id e1mr11419294wjd.143.1469810459017; Fri, 29 Jul 2016 09:40:59 -0700 (PDT) MIME-Version: 1.0 Received: by 10.194.103.197 with HTTP; Fri, 29 Jul 2016 09:40:39 -0700 (PDT) In-Reply-To: References: From: "Michele Mase'" Date: Fri, 29 Jul 2016 18:40:39 +0200 Message-ID: To: Httpd Users List Content-Type: multipart/alternative; boundary=047d7b66fcc34c150d0538c8ea78 Subject: Re: [users@httpd] SSLHonorCipherOrder not working as expected archived-at: Fri, 29 Jul 2016 16:41:06 -0000 --047d7b66fcc34c150d0538c8ea78 Content-Type: text/plain; charset=UTF-8 Correct ... Probably old app will always land in the first vhost, but only for the ssl options, the vhost itself works with its own rules of proxypass and proxy passreverse. The solutions are two: trash the oldapp or use an ip base vhost. Best regards Michele On Fri, Jul 29, 2016 at 9:02 AM, Daniel wrote: > Follow Yann's advice, probably your only option is to set different ip for > the virtualhost for this client, most probably Java 1.4 does not support > TLS SNI either so using namedvirtualhosts with SSL for this client will > always land you in the first ssl virtualhost available. > > 2016-07-28 23:43 GMT+02:00 Yann Ylavic : > >> On Thu, Jul 28, 2016 at 10:00 PM, Michele Mase' >> wrote: >> > >> > Any suggestion? >> >> Ciphers must be negotiated before HTTP is decrypted (and hence vhost >> selection can happen). >> With SSLHonorCipherOrder off, the negotiated cipher is probably >> RC4-SHA (the one preferred by the client). >> With SSLHonorCipherOrder on, the negotiated cipher is probably an >> ECDHE one (preferred by the server), which the old java also support >> but to some extent (eg. DH <= 1024, see >> https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh). >> >> Anyway, since you still want stronger ciphers for the other >> clients/vhosts, why not put the legacy one on its own (different) IP >> or port, configured with a suitable/compatible CipherSuite >> (CipherOrder shouldn't matter here) ? >> >> Regards, >> Yann. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org >> >> > > > -- > *Daniel Ferradal* > IT Specialist > > email dferradal at gmail.com > linkedin es.linkedin.com/in/danielferradal > --047d7b66fcc34c150d0538c8ea78 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Correct ...
Probably old app = will always land in the first vhost, but only for the ssl options, the vhos= t itself works with its own rules of proxypass and proxy passreverse.
The solutions are two: trash the oldapp or use an ip base vhost.
Best regards
Michele

On Fri, Jul 29, 2016 at 9:02 AM, Daniel <dferr= adal@gmail.com> wrote:
Follow Yann's advice, probably your only option is to set = different ip for the virtualhost for this client, most probably Java 1.4 do= es not support TLS SNI either so using namedvirtualhosts with SSL for this = client will always land you in the first ssl virtualhost available.

2016-07-28 23:43 GMT+02:00 Yann Ylavic <ylavic.dev@gmail.com>= ;:
On Thu, Jul 28, 2016 at 10:00 P= M, Michele Mase' <michele.mase@gmail.com> wrote:
>
> Any suggestion?

Ciphers must be negotiated before HTTP is decrypted (and hence vhost
selection can happen).
With SSLHonorCipherOrder off, the negotiated cipher is probably
RC4-SHA (the one preferred by the client).
With SSLHonorCipherOrder on, the negotiated cipher is probably an
ECDHE one (preferred by the server), which the old java also support
but to some extent (eg. DH <=3D 1024, see
https://httpd.apache.org/docs/current/s= sl/ssl_faq.html#javadh).

Anyway, since you still want stronger ciphers for the other
clients/vhosts, why not put the legacy one on its own (different) IP
or port, configured with a suitable/compatible CipherSuite
(CipherOrder shouldn't matter here) ?

Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




--
Daniel Ferradal
IT Specialist

email =C2=A0 = =C2=A0 =C2=A0 =C2=A0 dferradal=C2=A0at gmail.com
<= /div>
linkedin =C2= =A0 =C2=A0 es.linkedin.com/in/danielferradal

--047d7b66fcc34c150d0538c8ea78--