You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Declerck Michael-W30479 <W3...@motorola.com> on 2006/08/01 18:05:24 UTC
[users@httpd] Firefox - 'partially encrypted' SSL
Hello,
My system is Ubuntu 6.06 and Apache 2.2 with mod_ssl.
I have a problem with Firefox which says that the client-server
interaction is only partially encrypted.
The message from the Firefox says exactly:
Connection Partially Encrypted
Parts of the page you are viewing were not encrypted before being
transmitted over the Internet.
Information sent over the Internet without encryption can be seen by
other people while it is in transit.
I installed mod_ssl statically, which gave me the default
conf/extra/httpd-ssl.conf, where ssl is supported by virtual host.
The file httpd-ssl.conf is included in my main httpd.conf.
When I statically installed, Apache modified my httpd.conf file in some
way, but I mistakingly saved over it.
One issue might be with a PRNG, because I do not know where I have one
(if I have one, it is not in /dev) in the httpd-ssl.conf.
Here's my httpd-ssl.conf file:
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
Listen 10.22.97.248:443
Listen 10.22.97.248:80
AddType application/x-x509-ca-cert .cert
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/usr/local/apache2/logs/ssl_scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:/usr/local/apache2/logs/ssl_mutex
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/usr/local/apache2/cgi-bin"
ServerName panicrepository.am.mot.com:443
ServerAdmin w30479@motorola.com
ErrorLog /usr/local/apache2/logs/error_log
TransferLog /usr/local/apache2/logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
# Server Certificate:
SSLCertificateFile
/usr/local/openssl/certs/panicrepository.am.mot.com.cert
SSLCertificateKeyFile
/usr/local/openssl/private/panicrepository.am.mot.com.key
<FilesMatch "\.(pl|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /usr/local/apache2/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
Any advice?
Does this sound like Firefox brokenness?
I would assume that it is my configuration that is the problem.
Michael DeClerck
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 03.08.06 11:37, Declerck Michael-W30479 wrote:
> However, I still have a bunch of images src'ed with http:// from the
> intranet standards web server (which does not support SSL).
> So IE asks the client, "There are both secure and non-secure items on
> this page. Do you want to display the non-secure items?", and when "No"
> is clicked, all the images are broken appropriately.
>
> What would the advantage be of downloading all the http:// src'ed images
> on to my server besides not having that pop-up in IE?
> Can images be hacked to do malicious things?
actually, there alreway were some overflows in image handling code that lead
to spurious code execution.
> In other words, what sort of security am I compromising by src'ing the
> images off an unencrypted server?
you can track what images did user access and thus guess, what did the user
do.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Declerck Michael-W30479 <W3...@motorola.com>.
Thank you for all the help!
I decided to download all my js and css sources on to the website and
src them appropriately with the https:// prefix.
This deleted the 'partial encryption' in Firefox, and I also get the
little lock down in the IE status bar (oh yay!).
However, I still have a bunch of images src'ed with http:// from the
intranet standards web server (which does not support SSL).
So IE asks the client, "There are both secure and non-secure items on
this page. Do you want to display the non-secure items?", and when "No"
is clicked, all the images are broken appropriately.
What would the advantage be of downloading all the http:// src'ed images
on to my server besides not having that pop-up in IE?
Can images be hacked to do malicious things?
In other words, what sort of security am I compromising by src'ing the
images off an unencrypted server?
Again thank you for your advice,
Michael DeClerck
________________________________
From: Graeme Walker [mailto:graeme.walker1@gmail.com]
Sent: Wednesday, August 02, 2006 9:50 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Firefox - 'partially encrypted' SSL
If there are any page resources, other than links to other websites etc
then this will cause the page to be partially secured, since these are
not https resources i.e. are not using a secure socket.
On 8/2/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
Under 'view page info' then 'links' I have about nine different
http://
links, but most of them lead away from my site.
One of links is a form submission to an intranet search database
(I have
to include that because of intranet standards), and the
javascript for
that searching function is sourced from another site on the
intranet.
I have a rewrite rule that transfers all http:// requests to
https://,
but I had all my site links changed anyway.
What does the linking have to do with the partially encrypted
message?
And could external javascript sourcing cause a hole in the SSL
encryption?
-----Original Message-----
From: Richard Collyer [mailto:richard@firebadger.net]
Sent: Wednesday, August 02, 2006 5:25 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Firefox - 'partially encrypted' SSL
On Wed, August 2, 2006 10:11 am, Vincent Bray wrote:
> On 8/1/06, Declerck Michael-W30479 < W30479@motorola.com>
wrote:
>> Any advice?
>> Does this sound like Firefox brokenness?
>> I would assume that it is my configuration that is the
problem.
>
> Is this just a case of having media or frames linked in to
your page
> via http:// links?
Right click --> view page info.
Search for the media that is linked by http:// and not https://
Cheers
Richard
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server
Project.
See <URL: http://httpd.apache.org/userslist.html
<http://httpd.apache.org/userslist.html> > for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest:
users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest:
users-digest-unsubscribe@httpd.apache.org
<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Graeme Walker <gr...@gmail.com>.
If there are any page resources, other than links to other websites etc then
this will cause the page to be partially secured, since these are not https
resources i.e. are not using a secure socket.
On 8/2/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
>
> Under 'view page info' then 'links' I have about nine different http://
> links, but most of them lead away from my site.
> One of links is a form submission to an intranet search database (I have
> to include that because of intranet standards), and the javascript for
> that searching function is sourced from another site on the intranet.
>
> I have a rewrite rule that transfers all http:// requests to https://,
> but I had all my site links changed anyway.
> What does the linking have to do with the partially encrypted message?
> And could external javascript sourcing cause a hole in the SSL
> encryption?
>
> -----Original Message-----
> From: Richard Collyer [mailto:richard@firebadger.net]
> Sent: Wednesday, August 02, 2006 5:25 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Firefox - 'partially encrypted' SSL
>
>
> On Wed, August 2, 2006 10:11 am, Vincent Bray wrote:
> > On 8/1/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
> >> Any advice?
> >> Does this sound like Firefox brokenness?
> >> I would assume that it is my configuration that is the problem.
> >
> > Is this just a case of having media or frames linked in to your page
> > via http:// links?
>
> Right click --> view page info.
>
> Search for the media that is linked by http:// and not https://
>
> Cheers
> Richard
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: RE: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Vincent Bray <no...@gmail.com>.
On 8/2/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
> Under 'view page info' then 'links' I have about nine different http://
> links, but most of them lead away from my site.
> One of links is a form submission to an intranet search database (I have
> to include that because of intranet standards), and the javascript for
> that searching function is sourced from another site on the intranet.
>
> I have a rewrite rule that transfers all http:// requests to https://,
> but I had all my site links changed anyway.
> What does the linking have to do with the partially encrypted message?
> And could external javascript sourcing cause a hole in the SSL
> encryption?
Firefox appears to be doing the right thing here. The reference to
your javascript being via http:// causes the error message to be
displayed, quite rightly in my opinion. Imagine that the link was
included in the page not by you, but as the result of an XSS
vulnerability. In that case, the javascript could easily disclose
private information.
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Declerck Michael-W30479 <W3...@motorola.com>.
Under 'view page info' then 'links' I have about nine different http://
links, but most of them lead away from my site.
One of links is a form submission to an intranet search database (I have
to include that because of intranet standards), and the javascript for
that searching function is sourced from another site on the intranet.
I have a rewrite rule that transfers all http:// requests to https://,
but I had all my site links changed anyway.
What does the linking have to do with the partially encrypted message?
And could external javascript sourcing cause a hole in the SSL
encryption?
-----Original Message-----
From: Richard Collyer [mailto:richard@firebadger.net]
Sent: Wednesday, August 02, 2006 5:25 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Firefox - 'partially encrypted' SSL
On Wed, August 2, 2006 10:11 am, Vincent Bray wrote:
> On 8/1/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
>> Any advice?
>> Does this sound like Firefox brokenness?
>> I would assume that it is my configuration that is the problem.
>
> Is this just a case of having media or frames linked in to your page
> via http:// links?
Right click --> view page info.
Search for the media that is linked by http:// and not https://
Cheers
Richard
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Richard Collyer <ri...@firebadger.net>.
On Wed, August 2, 2006 10:11 am, Vincent Bray wrote:
> On 8/1/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
>> Any advice?
>> Does this sound like Firefox brokenness?
>> I would assume that it is my configuration that is the problem.
>
> Is this just a case of having media or frames linked in to your page
> via http:// links?
Right click --> view page info.
Search for the media that is linked by http:// and not https://
Cheers
Richard
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Firefox - 'partially encrypted' SSL
Posted by Vincent Bray <no...@gmail.com>.
On 8/1/06, Declerck Michael-W30479 <W3...@motorola.com> wrote:
> Any advice?
> Does this sound like Firefox brokenness?
> I would assume that it is my configuration that is the problem.
Is this just a case of having media or frames linked in to your page
via http:// links?
--
noodl
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org