You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by aparna Puram <ap...@gmail.com> on 2011/12/07 06:50:05 UTC
[users@httpd] SSL cipher suite modification
Hello ,
Currently we are using the following ciphersuite in our httpd.conf file.
SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
But our new client does not support the RC4+RSA cipher tag. They support
DES-CBC-SHA tag.
However, There are many other clinets using the RC4+RSA tag. So I would
like to know, How to append the DES-CBC-SHA tag to the existing
ciphersuite, Without changing the configuration.
Please let me know the SSLCIpherSuite that is valid for both RC4+RSA and
DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by SSLv3.
Kindly let me know if you need any further information.
Re: [users@httpd] mod_proxy_html
Posted by Nick Kew <ni...@webthing.com>.
On 7 Dec 2011, at 13:14, <Ch...@LEW.DE> <Ch...@LEW.DE> wrote:
> Hello to all,
Please don't hijack someone else's thread.!
> we use mod_proxy_html.
>
> Now we have a problem with dealing xml-content. Some files in a location should not be parsed by mod_proxy_html, the shoult be delivered untouched to the client.
mod_proxy_html will never touch non-HTML contents unless you explicitly configure it.
The docs warn that you override normal behaviour at your own risk.
So I suggest you discuss the problem with whoever set it up that way, and find out
why they wanted to process non-HTML.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Re: mod_proxy_html
Posted by Andrew Schulman <an...@alumni.utexas.net>.
> Hello to all,
>
> we use mod_proxy_html.
>
> Now we have a problem with dealing xml-content. Some files in a location should not be parsed by mod_proxy_html, the shoult be delivered untouched to the client.
> Mod_proxy_html always adds following tags:
>
> <html>
> <body>
> <!-- Here is the xml-content -->
> </body>
> </html>
>
> Is it possible to disable mod_proxy_html for some files in a location?
By properly setting up your filter chains, you can tell mod_proxy_html to only
process HTML content. http://httpd.apache.org/docs/2.2/mod/mod_filter.html
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] mod_proxy_html
Posted by Ch...@LEW.DE.
Hello to all,
we use mod_proxy_html.
Now we have a problem with dealing xml-content. Some files in a location should not be parsed by mod_proxy_html, the shoult be delivered untouched to the client.
Mod_proxy_html always adds following tags:
<html>
<body>
<!-- Here is the xml-content -->
</body>
</html>
Is it possible to disable mod_proxy_html for some files in a location?
Regards Christian
Re: [users@httpd] SSL cipher suite modification
Posted by aparna Puram <ap...@gmail.com>.
Hello Igor,
Thanks a lot for excellent suggestion...
We will raise this concern to our client. However, There are many third
party servers that are connecting to our webserver, This will take time I
guess.
Hence we will try configuring the following for time being and check if the
new client with DES-CBC-SHA is able to connect to our webserver.
!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
I will again need your help, If the new client is unable to connect.
THanks again...
2011/12/8 Igor Galić <i....@brainsware.org>
>
>
> ----- Original Message -----
> > Hi Igor,
> >
> > Thanks a zillion.
> >
> > I understand from your mail that the following 2 cipher suites will
> > work with the existing and the new clinet configurations.
> >
> > Kindly correct me if I m wrong.
> >
> >
> 1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > 2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> >
> > However the first cipher suite contains MD5, which is not preferable
> > due to security reasons.
> >
> > Hence we can use the second cipher, which is same as the first
> > cipher(both the clients those who are using RC4+RSA and the
> > DES-CBC-SHA will be able to have a successful ssl handshake), but
> > this one is more secured compared to the first one.
> >
> > If we add the second cipher suite. does the configuration look as
> > following ? :
> > SSLProtocol +SSLv3
> > SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> > SSLHonorCipherOrder on
>
> igalic@tynix ~ % openssl ciphers -v '
> !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
> DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> igalic@tynix ~ %
>
> SSLProtocol +SSLv3 is not very useful in this case, because
> SSLProtocol defaults to "all", so, to all, you're adding SSLv3,
> but that's already contained in "all", so it'll be ignored.
>
> One way or the other, the ciphersuite you're selecting will give you SSLv3
> *only* anyway! AND it will limit you to exactly two ciphers. In effect,
> this:
>
> does the same:
>
> igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA'
> DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> igalic@galic %
>
> > Please let me know if I m not clear.
>
>
> My question is still: Why do you have to narrow your cipher suite down
> *so* much? - Is there a sane way to upgrade the clients such that they
> support modern, more secure, or just: *more* ciphers?
>
> i
>
> --
> Igor Galić
>
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL cipher suite modification
Posted by aparna Puram <ap...@gmail.com>.
Hello Igor/Matus,
Issue is resolved for now after adding the cipher that our client support.
Resolution : They have given the list of ciphers that they support. I have
tried using once of the cipher(DES-CBC-SHA) that they said they support.
But with this they were unable to connect.
Then I have used the follwoing command to get the protocol and cipher that
they have used.
/opt/csw/bin/openssl s_client -connect clinethostname:443 -debug
Then it gave me the protocol that they have used.
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
I have added this protocol and cipher to my sslciphersuite. It has enabled
them to connect to our webserver.
I have suggested my clinets to upgrade their applications to support SSLv3
and higher protocols.
Thanks a lot Igor, Your input has helped me a lot...:)
On Thu, Dec 8, 2011 at 7:39 PM, Matus UHLAR - fantomas <uh...@fantomas.sk>wrote:
> On 08.12.11 00:38, aparna Puram wrote:
>
>> I understand from your mail that the following 2 cipher suites will work
>> with the existing and the new clinet configurations.
>>
>> Kindly correct me if I m wrong.
>>
>> 1-->!ADH:!EXPORT56:DES-CBC-**SHA:RC4+RSA:+HIGH:+MEDIUM:+**
>> LOW:+SSLv2:+EXP:+eNULL
>> 2-->!ADH:!MD5:DES-CBC-SHA:RC4+**RSA:+HIGH:+MEDIUM
>>
>> However the first cipher suite contains MD5, which is not preferable due
>> to
>> security reasons.
>>
>
> you disallow md5 due to security reasons, but allow null,export and low
> ciphers? :-)
>
> I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5
> from those but I'd like to see your "security" reasons, due to paragraph
> above.
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux is like a teepee: no Windows, no Gates and an apache inside...
>
>
> ------------------------------**------------------------------**---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>>
> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.**apache.org<us...@httpd.apache.org>
> " from the digest: users-digest-unsubscribe@**httpd.apache.org<us...@httpd.apache.org>
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL cipher suite modification
Posted by Matus UHLAR - fantomas <uh...@fantomas.sk>.
On 08.12.11 00:38, aparna Puram wrote:
>I understand from your mail that the following 2 cipher suites will work
>with the existing and the new clinet configurations.
>
>Kindly correct me if I m wrong.
>
>1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
>
>However the first cipher suite contains MD5, which is not preferable due to
>security reasons.
you disallow md5 due to security reasons, but allow null,export and low
ciphers? :-)
I use DEFAULT:!EXP:!LOW and I hope that's enough. you can excloude MD5
from those but I'd like to see your "security" reasons, due to
paragraph above.
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Hi Igor,
>
> Thanks a zillion.
>
> I understand from your mail that the following 2 cipher suites will
> work with the existing and the new clinet configurations.
>
> Kindly correct me if I m wrong.
>
> 1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> 2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
>
> However the first cipher suite contains MD5, which is not preferable
> due to security reasons.
>
> Hence we can use the second cipher, which is same as the first
> cipher(both the clients those who are using RC4+RSA and the
> DES-CBC-SHA will be able to have a successful ssl handshake), but
> this one is more secured compared to the first one.
>
> If we add the second cipher suite. does the configuration look as
> following ? :
> SSLProtocol +SSLv3
> SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> SSLHonorCipherOrder on
igalic@tynix ~ % openssl ciphers -v ' !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
igalic@tynix ~ %
SSLProtocol +SSLv3 is not very useful in this case, because
SSLProtocol defaults to "all", so, to all, you're adding SSLv3,
but that's already contained in "all", so it'll be ignored.
One way or the other, the ciphersuite you're selecting will give you SSLv3
*only* anyway! AND it will limit you to exactly two ciphers. In effect, this:
does the same:
igalic@tynix ~ % openssl ciphers -v '!MD5:DES-CBC-SHA:RC4+RSA'
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
igalic@galic %
> Please let me know if I m not clear.
My question is still: Why do you have to narrow your cipher suite down
*so* much? - Is there a sane way to upgrade the clients such that they
support modern, more secure, or just: *more* ciphers?
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL cipher suite modification
Posted by aparna Puram <ap...@gmail.com>.
Hi Igor,
Thanks a zillion.
I understand from your mail that the following 2 cipher suites will work
with the existing and the new clinet configurations.
Kindly correct me if I m wrong.
1-->!ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
2-->!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
However the first cipher suite contains MD5, which is not preferable due to
security reasons.
Hence we can use the second cipher, which is same as the first cipher(both
the clients those who are using RC4+RSA and the DES-CBC-SHA will be able to
have a successful ssl handshake), but this one is more secured compared to
the first one.
If we add the second cipher suite. does the configuration look as following
? :
SSLProtocol +SSLv3
SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
SSLHonorCipherOrder on
Please let me know if I m not clear.
2011/12/7 Igor Galić <i....@brainsware.org>
>
>
> ----- Original Message -----
> > Hello ,
> >
> > Currently we are using the following ciphersuite in our httpd.conf
> > file.
> >
> > SSLCipherSuite
> > !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > But our new client does not support the RC4+RSA cipher tag. They
> > support DES-CBC-SHA tag.
> >
> > However, There are many other clinets using the RC4+RSA tag. So I
> > would like to know, How to append the DES-CBC-SHA tag to the
> > existing ciphersuite, Without changing the configuration.
> >
> > Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> > and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> > SSLv3.
> >
> > Kindly let me know if you need any further information.
>
> How about something like?
>
> SSLCipherSuite
> !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLHonorCipherOrder on
>
> Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything
> below MEDIUM.
> Or containing MD5 :-S
>
> SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
> SSLHonorCipherOrder on
>
>
> But it doesn't really matter, the result of adding !MD5 will result in a
> very
> limited set if DES-CBC-SHA and RC4+RSA is your lowest entry:
>
> igalic@tynix ~ % openssl ciphers -v
> '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
> DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
> DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
> igalic@tynix ~ %
>
>
>
> Adding MD5 makes the situation worse, IMO.
>
> I think you need to fix this. This is a problem.
>
> i
>
> --
> Igor Galić
>
> Tel: +43 (0) 664 886 22 883
> Mail: i.galic@brainsware.org
> URL: http://brainsware.org/
> GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL cipher suite modification
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Hello ,
>
> Currently we are using the following ciphersuite in our httpd.conf
> file.
>
> SSLCipherSuite
> !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> But our new client does not support the RC4+RSA cipher tag. They
> support DES-CBC-SHA tag.
>
> However, There are many other clinets using the RC4+RSA tag. So I
> would like to know, How to append the DES-CBC-SHA tag to the
> existing ciphersuite, Without changing the configuration.
>
> Please let me know the SSLCIpherSuite that is valid for both RC4+RSA
> and DES-CBC-SHA. As RC4+RSA is SSLv2 and DES-CBC-SHA is supported by
> SSLv3.
>
> Kindly let me know if you need any further information.
How about something like?
SSLCipherSuite !ADH:!EXPORT56:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLHonorCipherOrder on
Although, frankly.. I'd probably not set +LOW or +SSLv2.. or anything below MEDIUM.
Or containing MD5 :-S
SSLCipherSuite !ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM
SSLHonorCipherOrder on
But it doesn't really matter, the result of adding !MD5 will result in a very
limited set if DES-CBC-SHA and RC4+RSA is your lowest entry:
igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA:+HIGH:+MEDIUM'
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
igalic@tynix ~ % openssl ciphers -v '!ADH:!MD5:DES-CBC-SHA:RC4+RSA'
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
igalic@tynix ~ %
Adding MD5 makes the situation worse, IMO.
I think you need to fix this. This is a problem.
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org