You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Marian Ion <m....@oodrive.com> on 2019/10/16 07:17:11 UTC
[users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own
SSLProtocol ?
According to
<https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHostsWithSNI>
"With SNI, you can have many virtual hosts sharing the same IP address
and port, and each one can have its own unique certificate (and the rest
of the configuration)."
So, using Apache 2.4.41 on a Debian Buster with OpenSSL/1.1.1d I have
- in ssl.conf: SSLStrictSNIVHostCheck On
- in virtual hosts files I have something like
<VirtualHost *:443>
ServerName first.server.on.my.domain
SSLProtocol -all +TLSv1.2 +TLSv1.3
</virtualHost>
<VirtualHost *:443>
ServerName second.server.on.my.domain
SSLProtocol -all +TLSv1.3
</virtualHost>
For both I use wildcard certificates for *server.on.my.domain; what I
would like is to have the second server responding to TLS 1.3 only -
however, it seems that the configuration of the first virtual host prevails!
Is it possible to do what I am looking for? if yes, what am I doing wrong?
Marian Ion
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Mario,
On Thu, Feb 20, 2020 at 3:20 PM Mario Brandt <jb...@gmail.com> wrote:
>
> Can you backport this for 2.4.x please?
Done already: https://svn.apache.org/r1873907
Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
Hi Yann,
Can you backport this for 2.4.x please?
Cheers
Mario
On Wed, 23 Oct 2019 at 11:28, Mario Brandt <jb...@gmail.com> wrote:
>
> Hi Yann,
> thanks a lot for that patch file.
>
> I can confirm, that the patch works on 2.4.41
>
> Build with
>
> SSL 1.1.1d
> HTTPD 2.4.41
> APR 1.7.0
> APRU 1.6.1
> APRI 1.2.2
> ZLIB 1.2.11
> PCRE 8.43
> HTTP2 1.39.2
>
> I'd like to see that going into 2.4.next
>
> Regards
> Mario
>
> On Wed, 23 Oct 2019 at 10:41, Yann Ylavic <yl...@gmail.com> wrote:
> >
> > Hi Mario,
> >
> > On Wed, Oct 23, 2019 at 10:05 AM Mario Brandt <jb...@gmail.com> wrote:
> > >
> > > it was PITA so apply this patch in 2.4.41 since the code lines are
> > > very different.
> > > And it fails to build.
> >
> > Sorry about that, full/single patch attached.
> >
> > Regards,
> > Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
Hi Yann,
thanks a lot for that patch file.
I can confirm, that the patch works on 2.4.41
Build with
SSL 1.1.1d
HTTPD 2.4.41
APR 1.7.0
APRU 1.6.1
APRI 1.2.2
ZLIB 1.2.11
PCRE 8.43
HTTP2 1.39.2
I'd like to see that going into 2.4.next
Regards
Mario
On Wed, 23 Oct 2019 at 10:41, Yann Ylavic <yl...@gmail.com> wrote:
>
> Hi Mario,
>
> On Wed, Oct 23, 2019 at 10:05 AM Mario Brandt <jb...@gmail.com> wrote:
> >
> > it was PITA so apply this patch in 2.4.41 since the code lines are
> > very different.
> > And it fails to build.
>
> Sorry about that, full/single patch attached.
>
> Regards,
> Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Mario,
On Wed, Oct 23, 2019 at 10:05 AM Mario Brandt <jb...@gmail.com> wrote:
>
> it was PITA so apply this patch in 2.4.41 since the code lines are
> very different.
> And it fails to build.
Sorry about that, full/single patch attached.
Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
Hi Yann,
it was PITA so apply this patch in 2.4.41 since the code lines are
very different.
And it fails to build.
Regards
Mario
On Wed, 23 Oct 2019 at 00:01, Yann Ylavic <yl...@gmail.com> wrote:
>
> On Tue, Oct 22, 2019 at 8:01 PM Mario Brandt <jb...@gmail.com> wrote:
> >
> > is there only a patch against trunk or is there one available for 2.4?
>
> The patches should apply just fine against latest 2.4.
>
> Regards,
> Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, Oct 22, 2019 at 8:01 PM Mario Brandt <jb...@gmail.com> wrote:
>
> is there only a patch against trunk or is there one available for 2.4?
The patches should apply just fine against latest 2.4.
Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
Hi,
is there only a patch against trunk or is there one available for 2.4?
On Tue, 22 Oct 2019 at 18:34, Mario Brandt <jb...@gmail.com> wrote:
>
> Hi Yann,
> I test the patches this week or the weekend.
>
> Cheers
> Mario
>
> Yann Ylavic <yl...@gmail.com> schrieb am Di., 22. Okt. 2019, 14:55:
>>
>> On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jb...@gmail.com> wrote:
>> >
>> > There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
>>
>> Would you mind testing with both pacthes below applied:
>> https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
>> https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
>> ?
>>
>> Regards,
>> Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
Hi Yann,
I test the patches this week or the weekend.
Cheers
Mario
Yann Ylavic <yl...@gmail.com> schrieb am Di., 22. Okt. 2019, 14:55:
> On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jb...@gmail.com> wrote:
> >
> > There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
>
> Would you mind testing with both pacthes below applied:
>
> https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
>
> https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
> ?
>
> Regards,
> Yann.
>
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jb...@gmail.com> wrote:
>
> There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
Would you mind testing with both pacthes below applied:
https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
?
Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Mario Brandt <jb...@gmail.com>.
There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
Cheers
On Tue, 22 Oct 2019 at 12:17, Yann Ylavic <yl...@gmail.com> wrote:
>
> [user@ => dev@]
>
> On Tue, Oct 22, 2019 at 9:21 AM Stefan Eissing
> <st...@greenbytes.de> wrote:
> >
> > > Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion <m....@oodrive.com>:
> > >
> > > I recompiled and installed the new version... but I came back quickly to the "standard" one:
> > > - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> > > - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
> > >
> > > I also use http2, I wonder if this does not also interfere with TLS...
> >
> > Could be an issue with connection sharing. If the browser gets the notion that your domains can be reached on the connection it has already open, a request requiring another TLS version arrives on a connection not matching it.
>
> It seems that on (SSL-)session resumption, SSL_get_servername()
> returns NULL unless one returns SSL_TLSEXT_ERR_OK (ack) in a SNI
> callback (I unplugged ssl_callback_ServerNameIndication() in my
> change, with OpenSSL 1.1.1+, which defaults to SSL_TLSEXT_ERR_NOACK).
> I'm not sure about the rationale; why let the callback decide this?
> And why on resume only? Will ask on openssl-users@.
> I think one could expect SSL_get_servername() to return what's in
> ClientHello, whether ack'ed or not...
>
> Anyway, if I follow this logic and restore
> ssl_callback_ServerNameIndication in any case (i.e. let openssl-1.1.1+
> run it after ssl_callback_ClientHello), and make it return OK/NOACK
> depending on whether we found the SNI in the configured vhosts, then I
> don't get AH02033 any more (from Chrome). So I committed r1868743...
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
[user@ => dev@]
On Tue, Oct 22, 2019 at 9:21 AM Stefan Eissing
<st...@greenbytes.de> wrote:
>
> > Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion <m....@oodrive.com>:
> >
> > I recompiled and installed the new version... but I came back quickly to the "standard" one:
> > - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> > - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
> >
> > I also use http2, I wonder if this does not also interfere with TLS...
>
> Could be an issue with connection sharing. If the browser gets the notion that your domains can be reached on the connection it has already open, a request requiring another TLS version arrives on a connection not matching it.
It seems that on (SSL-)session resumption, SSL_get_servername()
returns NULL unless one returns SSL_TLSEXT_ERR_OK (ack) in a SNI
callback (I unplugged ssl_callback_ServerNameIndication() in my
change, with OpenSSL 1.1.1+, which defaults to SSL_TLSEXT_ERR_NOACK).
I'm not sure about the rationale; why let the callback decide this?
And why on resume only? Will ask on openssl-users@.
I think one could expect SSL_get_servername() to return what's in
ClientHello, whether ack'ed or not...
Anyway, if I follow this logic and restore
ssl_callback_ServerNameIndication in any case (i.e. let openssl-1.1.1+
run it after ssl_callback_ClientHello), and make it return OK/NOACK
depending on whether we found the SNI in the configured vhosts, then I
don't get AH02033 any more (from Chrome). So I committed r1868743...
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Stefan Eissing <st...@greenbytes.de>.
> Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion <m....@oodrive.com>:
>
> Hi!
>
> I recompiled and installed the new version... but I came back quickly to the "standard" one:
> - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
>
> I also use http2, I wonder if this does not also interfere with TLS...
Could be an issue with connection sharing. If the browser gets the notion that your domains can be reached on the connection it has already open, a request requiring another TLS version arrives on a connection not matching it.
Can your curl use http2? Does it work there?
>
> Regards,
>
> Marian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Marian,
On Thu, Oct 24, 2019 at 5:56 PM Marian Ion <m....@oodrive.com> wrote:
>
> I don't know if my reply passed to the list
Now it has ;)
> the idea is that the last
> patch works, and I thank you very much for that!
Thanks for testing!
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Marian,
On Mon, Oct 21, 2019 at 10:53 PM Marian-Nicolae Ion <m....@oodrive.com> wrote:
>
> I recompiled and installed the new version... but I came back quickly to the "standard" one:
> - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
>
> I also use http2, I wonder if this does not also interfere with TLS...
Could you apply and test this patch on top (in addition to) the previous one?
https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
Thanks,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4
VirtualHosts, each with its own SSLProtocol ?
Posted by Marian-Nicolae Ion <m....@oodrive.com>.
Hi!
I recompiled and installed the new version... but I came back quickly to the "standard" one:
- using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
- however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
I also use http2, I wonder if this does not also interfere with TLS...
Regards,
Marian
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Oct 21, 2019 at 4:59 PM Yann Ylavic <yl...@gmail.com> wrote:
>
> On Mon, Oct 21, 2019 at 4:21 PM Aleksandar Ivanisevic
> <al...@2e-systems.com> wrote:
> >
> > could you please copy the list or me, as I would be also interested.
>
> That's http://svn.apache.org/r1868645 on trunk. It applies cleanly to
> latest 2.4 version, just in case the corresponding patch is attached
> here.
Or there: https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
>
> Regards,
> Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi,
On Mon, Oct 21, 2019 at 4:21 PM Aleksandar Ivanisevic
<al...@2e-systems.com> wrote:
>
> could you please copy the list or me, as I would be also interested.
That's http://svn.apache.org/r1868645 on trunk. It applies cleanly to
latest 2.4 version, just in case the corresponding patch is attached
here.
Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Aleksandar Ivanisevic <al...@2e-systems.com>.
Hi,
could you please copy the list or me, as I would be also interested.
regards,
On 20. October 2019 at 13:28:51, Yann Ylavic (ylavic.dev@gmail.com) wrote:
Hi Marian,
On Wed, Oct 16, 2019 at 9:17 AM Marian Ion <m....@oodrive.com> wrote:
>
> Is it possible to do what I am looking for? if yes, what am I doing
wrong?
I've just committed a change to httpd (trunk) which allows to
negotiate the SSLProtocol per name based virtual host configuration.
It requires OpenSSL 1.1.1+ to work, because earlier versions did not
allow to do this, but I suppose this is OK for you since you use TLS
1.3.
If you can apply a patch to your httpd-2.4.41, I can eventually
provide one for you to test in your environment..
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aleksandar Ivanišević
Head of Operations and Support
2e Systems
tel: +49 - 6196 - 95058 - 14
fax: +49 - 6196 - 95058 - 94
e-mail: Aleksandar.Ivanisevic@2e-systems.com
address: 2e Systems GmbH, Koenigsteiner Str. 87, 65812 Bad Soden am Taunus,
Germany
registration: Amtsgericht Koenigstein (Germany), HRB 7303
director: Philip Douglas
https://www.2e-systems.com - making your business fly!
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Yann Ylavic <yl...@gmail.com>.
Hi Marian,
On Wed, Oct 16, 2019 at 9:17 AM Marian Ion <m....@oodrive.com> wrote:
>
> Is it possible to do what I am looking for? if yes, what am I doing wrong?
I've just committed a change to httpd (trunk) which allows to
negotiate the SSLProtocol per name based virtual host configuration.
It requires OpenSSL 1.1.1+ to work, because earlier versions did not
allow to do this, but I suppose this is OK for you since you use TLS
1.3.
If you can apply a patch to your httpd-2.4.41, I can eventually
provide one for you to test in your environment..
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by "Marian-N. Ion" <m....@oodrive.com>.
On 18/10/2019 01:49, Anil Kumar P wrote:
> As suggested in the wiki, did you set below during your tests. Let us
> know your findings.
>
> NameVirtualHost *:443
Well, I didn't test that, because at
<https://httpd.apache.org/docs/2.4/mod/core.html#namevirtualhost> it is
written that " This directive currently has no effect."
But my virtual hosts are defined with <VirtualHost *:443> so I presume
it is the same thing.
But as William A Rowe Jr pointed out the SNI information is sent *after*
the TLS negotiation, so the first server's configuration takes
precedence (it seems there's no further TLS renegotiation after the
secure session has been established).
Maybe what I want may work with 2 different IPs, that I don't have...
Regards,
Marian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?
Posted by Anil Kumar P <na...@gmail.com>.
As suggested in the wiki, did you set below during your tests. Let us know your findings.
# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443
# Go ahead and accept connections for these vhosts # from non-SNI clients SSLStrictSNIVHostCheck off
Thanks,
Anil
> On Oct 17, 2019, at 9:50 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>> On Thu, Oct 17, 2019 at 2:06 AM Marian Ion <m....@oodrive.com> wrote:
>
>>
>> Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the
>> documentation "If set to on in the default name-based virtual host,
>> clients that are SNI unaware will not be allowed to access any virtual
>> host".
>> I set it in the default virtual host and in my "second.server" (that is
>> supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e.
>> second.server still accepts TLS 1.2 requests...)
>
> TLS revision describes the handshake protocol. Either the listener accepts
> TLS 1.2 handshakes, or it does not, it won't look at SNI until the handshake
> is in flight with the respective TLS handshake.
>
> This points out the possibility of multi-homing the box with one IP which
> accepts TLS 1.2+ and a different IP listening with TLS 1.3 only.
>
>
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Oct 17, 2019 at 2:06 AM Marian Ion <m....@oodrive.com> wrote:
>
> Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the
> documentation "If set to on in the default name-based virtual host,
> clients that are SNI unaware will not be allowed to access any virtual
> host".
> I set it in the default virtual host and in my "second.server" (that is
> supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e.
> second.server still accepts TLS 1.2 requests...)
>
TLS revision describes the handshake protocol. Either the listener accepts
TLS 1.2 handshakes, or it does not, it won't look at SNI until the handshake
is in flight with the respective TLS handshake.
This points out the possibility of multi-homing the box with one IP which
accepts TLS 1.2+ and a different IP listening with TLS 1.3 only.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Marian Ion <m....@oodrive.com>.
On 17/10/2019 04:51, Anil Kumar P wrote:
> Is the client sending hostname header with the correct host, if not by default first vhost will be served.
Yes, that's why I set "SSLStrictSNIVHostCheck On" -> according to the
documentation "If set to on in the default name-based virtual host,
clients that are SNI unaware will not be allowed to access any virtual
host".
I set it in the default virtual host and in my "second.server" (that is
supposed to be TLS 1.3 only) but it didn't change the behaviour (i.e.
second.server still accepts TLS 1.2 requests...)
Thanks,
Marian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?
Posted by Anil Kumar P <na...@gmail.com>.
Is the client sending hostname header with the correct host, if not by default first vhost will be served.
Thanks,
Anil
> On Oct 16, 2019, at 7:52 AM, Marian Ion <m....@oodrive.com> wrote:
>
>> On 16/10/2019 12:44, Martin Drescher wrote:
>> So I would suggest, putting the 1.3 only server as the first in your config.
>> I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL module's config and after that, deny it in 'second.server.on.my.domain' with 'SSLProtocol -TLSv1.2'. Have a look at 'SSLCipherSuite' and 'SSLHonorCipherOrder', may be you need to change the order here.
>
> As a quick test I would say that it didn't work, Apache claimed that
> "AH02231: No SSL protocols available [hint: SSLProtocol]" -> So, for
> 'second.server.on.my.domain' I had to set the protocol as
> SSLProtocol -all TLSv1.3
> in order to make it work again...
> But I have to make more tests, maybe I was too fast and I forgot
> something...
>
> Thank you very much,
>
> Marian
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Marian Ion <m....@oodrive.com>.
On 16/10/2019 12:44, Martin Drescher wrote:
> So I would suggest, putting the 1.3 only server as the first in your config.
> I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL module's config and after that, deny it in 'second.server.on.my.domain' with 'SSLProtocol -TLSv1.2'. Have a look at 'SSLCipherSuite' and 'SSLHonorCipherOrder', may be you need to change the order here.
As a quick test I would say that it didn't work, Apache claimed that
"AH02231: No SSL protocols available [hint: SSLProtocol]" -> So, for
'second.server.on.my.domain' I had to set the protocol as
SSLProtocol -all TLSv1.3
in order to make it work again...
But I have to make more tests, maybe I was too fast and I forgot
something...
Thank you very much,
Marian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts,
each with its own SSLProtocol ?
Posted by Martin Drescher <dr...@inter.net>.
Marian,
as far as I understand (educated guess!), the 'server_name' is sent during TLS handshake, but after server & client have agreed to a TLS version. Hence, I would expect, that a client which prefers TLS 1.2 will never see 'second.server.on.my.domain'. Which may exactly be what you want.
However, the order in which the 'VirtualHost's are initialized does matter. So I would suggest, putting the 1.3 only server as the first in your config.
I would also suggest, to set 'SSLProtocol -all +TLSv1.2 +TLSv1.3' in the SSL module's config and after that, deny it in 'second.server.on.my.domain' with 'SSLProtocol -TLSv1.2'. Have a look at 'SSLCipherSuite' and 'SSLHonorCipherOrder', may be you need to change the order here.
Am 16.10.19 um 09:17 schrieb Marian Ion:
> According to
> <https://cwiki.apache.org/confluence/display/HTTPD/NameBasedSSLVHostsWithSNI>
> "With SNI, you can have many virtual hosts sharing the same IP address
> and port, and each one can have its own unique certificate (and the rest
> of the configuration)."
>
> So, using Apache 2.4.41 on a Debian Buster with OpenSSL/1.1.1d I have
> - in ssl.conf: SSLStrictSNIVHostCheck On
> - in virtual hosts files I have something like
> <VirtualHost *:443>
> ServerName first.server.on.my.domain
> SSLProtocol -all +TLSv1.2 +TLSv1.3
> </virtualHost>
>
> <VirtualHost *:443>
> ServerName second.server.on.my.domain
> SSLProtocol -all +TLSv1.3
> </virtualHost>
>
> For both I use wildcard certificates for *server.on.my.domain; what I
> would like is to have the second server responding to TLS 1.3 only -
> however, it seems that the configuration of the first virtual host prevails!
>
> Is it possible to do what I am looking for? if yes, what am I doing wrong?
>
> Marian Ion
Martin