You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hildegard Meier <da...@gmx.de> on 2021/02/24 13:12:40 UTC
[users@httpd] Set SSLCipherSuite dependent on client IP
Hello,
having Ubuntu 14 server with Apache 2.4.7
I configured to have SSLCipherSuite dependent on the client IP address.
But the If/Else directive seems to be just silently ignored, only and always the global default SSLCipherSuite value is in effect.
The SSLCipherSuite given in the If or Else block (which should be taken for every client that is not in the 1.2.3.0/26 network) is not taken.
Why does this not work?
Is there another way to achieve the goal?
Here the vHost config:
<VirtualHost *:4433>
ServerName ssl-test.example.com
DocumentRoot "/var/www/docs/empty"
SSLEngine on
SSLCertificateKeyFile "/etc/apache2/ssl/keys/test.key"
SSLCertificateFile "/etc/apache2/ssl/certs/test.crt"
SSLCertificateChainFile "/etc/apache2/ssl/certs/test.crt"
<If "-R '1.2.3.0/26'">
SSLCipherSuite -all:MD5
</If>
<Else>
SSLCipherSuite -all:SHA1
</Else>
CustomLog "/var/log/apache2/test/access.log" vhost_combined
ErrorLog "/var/log/apache2/test/error.443.log"
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Hildegard Meier <da...@gmx.de>.
P.S. Nevermind the port 4433 in the example, that's because load balancer port natting.
The vHost works fine with outbound port 443. This question is only about the if/else block in combination with SSLCipherSuite.
> Gesendet: Mittwoch, 24. Februar 2021 um 14:12 Uhr
> Von: "Hildegard Meier" <da...@gmx.de>
> An: users@httpd.apache.org
> Betreff: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> Hello,
>
> having Ubuntu 14 server with Apache 2.4.7
>
> I configured to have SSLCipherSuite dependent on the client IP address.
>
> But the If/Else directive seems to be just silently ignored, only and always the global default SSLCipherSuite value is in effect.
>
> The SSLCipherSuite given in the If or Else block (which should be taken for every client that is not in the 1.2.3.0/26 network) is not taken.
>
> Why does this not work?
> Is there another way to achieve the goal?
>
>
> Here the vHost config:
>
> <VirtualHost *:4433>
>
> ServerName ssl-test.example.com
>
> DocumentRoot "/var/www/docs/empty"
>
> SSLEngine on
> SSLCertificateKeyFile "/etc/apache2/ssl/keys/test.key"
> SSLCertificateFile "/etc/apache2/ssl/certs/test.crt"
> SSLCertificateChainFile "/etc/apache2/ssl/certs/test.crt"
>
> <If "-R '1.2.3.0/26'">
> SSLCipherSuite -all:MD5
> </If>
> <Else>
> SSLCipherSuite -all:SHA1
> </Else>
>
> CustomLog "/var/log/apache2/test/access.log" vhost_combined
> ErrorLog "/var/log/apache2/test/error.443.log"
>
> </VirtualHost>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Rainer Canavan <ra...@sevenval.com>.
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier <da...@gmx.de> wrote:
[...]
> Could it be possible another way to give clients of a specific vHost different SSLCipherSuite's depending on their IP address? (cipher of first handshake, no renegotiation)
You can work around this by setting up a separate vhost on a different
port or IP and redirect the incoming traffic using the firewall/NAT
tools supplied with your OS. Under Linux, something similar to the
following might work:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.0/24 --dport 80 -j
REDIRECT --to 8080
regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Hildegard Meier <da...@gmx.de>.
I had the <If> in the <VirtualHost> context, where also the SSLCipherSuite is defined.
As I understand, the Clients jumps in the Virtualhost context before TLS handshake because of SNI, so it should be theoretically possible to process the <If> in the virtualhost context before handshake.
But I had old non-SNI-cpable clients, too, so that would not have worked either, with non-SNI I guess you are right.
We will do now another way to get the old clients out of the way to be able to disable old weak ciphers in the vhost.
Thank you.
> Gesendet: Donnerstag, 25. Februar 2021 um 12:40 Uhr
> Von: "Yann Ylavic" <yl...@gmail.com>
> An: users@httpd.apache.org
> Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier <da...@gmx.de> wrote:
> >
> > I thought about something like that as cause, but since the client IP is known from the very first start of the request, before TLS handshake, I thought it could be evaluated.
>
> Yes but to determine the context from which the <If> takes place
> (VirtualHost, directory, location..), the server needs to know the
> request header, thus negotiate TLS with the user-agent already.
> Chicken and egg..
>
> Regards;
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Hildegard Meier <da...@gmx.de>.
SSLCipherSuite -all:MD5
is served by Apache (at least with old Ubuntu 14) as expected.
Get's s F rating on
https://www.ssllabs.com/ssltest/
though :)
Nevermind, that SSLCipherSuite was just an example, I should have taken one
that is really used, to prevent complication.
**Gesendet:** Donnerstag, 25. Februar 2021 um 13:55 Uhr
**Von:** "Brian Wolfe" <wo...@gmail.com>
**An:** users@httpd.apache.org
**Betreff:** Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
The question is if the "If/Else" block is being evaluated. I suspect it is,
but the selected CipherSuites are not available and therefore the global
setting is used to negotiate.
On Thu, Feb 25, 2021 at 7:50 AM Yann Ylavic
<[ylavic.dev@gmail.com](mailto:ylavic.dev@gmail.com)> wrote:
> On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe
<[wolfebrian2120@gmail.com](mailto:wolfebrian2120@gmail.com)> wrote:
> >
> > Are you sure that you have any MD5 ciphers enabled.
>
> Wrong thread?
>
> Regards;
> Yann.
>
> \---------------------------------------------------------------------
> To unsubscribe, e-mail: [users-unsubscribe@httpd.apache.org](mailto:users-
unsubscribe@httpd.apache.org)
> For additional commands, e-mail: [users-
help@httpd.apache.org](mailto:users-help@httpd.apache.org)
>
\--
Thanks,
Brian Wolfe
<https://www.linkedin.com/in/brian-wolfe-3136425a/>
\--------------------------------------------------------------------- To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional
commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Brian Wolfe <wo...@gmail.com>.
The question is if the "If/Else" block is being evaluated. I suspect it is,
but the selected CipherSuites are not available and therefore the global
setting is used to negotiate.
On Thu, Feb 25, 2021 at 7:50 AM Yann Ylavic <yl...@gmail.com> wrote:
> On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe <wo...@gmail.com>
> wrote:
> >
> > Are you sure that you have any MD5 ciphers enabled.
>
> Wrong thread?
>
> Regards;
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe <wo...@gmail.com> wrote:
>
> Are you sure that you have any MD5 ciphers enabled.
Wrong thread?
Regards;
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Brian Wolfe <wo...@gmail.com>.
Are you sure that you have any MD5 ciphers enabled. Most of them are
disabled nowadays. For example on my OSX I only have 1 MD5 available:
:~ $ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)
Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA
Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA
Enc=ChaCha20-Poly1305 Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20-Poly1305
Mac=AEAD
GOST2012256-GOST89-GOST89 SSLv3 Kx=GOST Au=GOST01 Enc=GOST-28178-89-CNT
Mac=GOST89IMIT
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256)
Mac=SHA256
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
GOST2001-GOST89-GOST89 SSLv3 Kx=GOST Au=GOST01 Enc=GOST-28178-89-CNT
Mac=GOST89IMIT
AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD
AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256)
Mac=SHA256
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)
Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128)
Mac=SHA256
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD
AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128)
Mac=SHA256
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
On Thu, Feb 25, 2021 at 6:46 AM Yann Ylavic <yl...@gmail.com> wrote:
> On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier <da...@gmx.de> wrote:
> >
> > I thought about something like that as cause, but since the client IP is
> known from the very first start of the request, before TLS handshake, I
> thought it could be evaluated.
>
> Yes but to determine the context from which the <If> takes place
> (VirtualHost, directory, location..), the server needs to know the
> request header, thus negotiate TLS with the user-agent already.
> Chicken and egg..
>
> Regards;
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Yann Ylavic <yl...@gmail.com>.
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier <da...@gmx.de> wrote:
>
> I thought about something like that as cause, but since the client IP is known from the very first start of the request, before TLS handshake, I thought it could be evaluated.
Yes but to determine the context from which the <If> takes place
(VirtualHost, directory, location..), the server needs to know the
request header, thus negotiate TLS with the user-agent already.
Chicken and egg..
Regards;
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Aw: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Hildegard Meier <da...@gmx.de>.
Thank you very much Eric, for your quick response and explanation. Do you have a source for it (aside of the source code ;) ?
I thought about something like that as cause, but since the client IP is known from the very first start of the request, before TLS handshake, I thought it could be evaluated.
Could it be possible another way to give clients of a specific vHost different SSLCipherSuite's depending on their IP address? (cipher of first handshake, no renegotiation)
> Gesendet: Mittwoch, 24. Februar 2021 um 14:26 Uhr
> Von: "Eric Covener" <co...@gmail.com>
> An: users@httpd.apache.org
> Betreff: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> > Why does this not work?
>
> <If> is evaluated early in request processing, long after the
> handshake. However, the manual says:
> In per-directory context it forces a SSL renegotiation with the
> reconfigured Cipher Suite after the HTTP request was read but before
> the HTTP response is sent.
>
> I suggest testing w/o TLS13 and testing the equivalent config with
> <Directory> or <Location> to see if renegotiation occurs w/o <If>.
> You will have to carefully look for the final cipher.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Posted by Eric Covener <co...@gmail.com>.
> Why does this not work?
<If> is evaluated early in request processing, long after the
handshake. However, the manual says:
In per-directory context it forces a SSL renegotiation with the
reconfigured Cipher Suite after the HTTP request was read but before
the HTTP response is sent.
I suggest testing w/o TLS13 and testing the equivalent config with
<Directory> or <Location> to see if renegotiation occurs w/o <If>.
You will have to carefully look for the final cipher.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org