You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michele Mase' <mi...@gmail.com> on 2016/07/28 14:36:17 UTC
[users@httpd] SSLHonorCipherOrder not working as expected
I've a reverse proxy based on apache 2.2.x (centos6.x) with soma name based
virtualhosts; trying to connect with an old app axis and java1.4.2.x based,
it only works with the following configuration:
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
SSLHonorCipherOrder off #Default
Turning SSLHonorCipherOrder On it doesn't work, I receive an error tls
internal error 80.
An internal error unrelated to the peer or the correctness of the protocol
makes it impossible to continue, such as a memory allocation failure. The
error is not related to protocol. This message is always fatal.
Following the SSLHonorCipherOrder directive: you can set in
server config and virtual host, but it seems not to work.
The problem:
If I set it on in the main server (or the first virtualhost), I cannot
deactivate it in the second virtualhost.
The same If I set it of in the main server (or the first virtualhost) and I
want to activate it in the second virtualhost. I cannot.
Could It be a bug or it is made by design?
How could I set the SSLHonorCipherOrder directive per virtualhost?
Regards
Michele Masè
Re: [users@httpd] SSLHonorCipherOrder not working as expected
Posted by Michele Mase' <mi...@gmail.com>.
Correct ...
Probably old app will always land in the first vhost, but only for the ssl
options, the vhost itself works with its own rules of proxypass and proxy
passreverse.
The solutions are two: trash the oldapp or use an ip base vhost.
Best regards
Michele
On Fri, Jul 29, 2016 at 9:02 AM, Daniel <df...@gmail.com> wrote:
> Follow Yann's advice, probably your only option is to set different ip for
> the virtualhost for this client, most probably Java 1.4 does not support
> TLS SNI either so using namedvirtualhosts with SSL for this client will
> always land you in the first ssl virtualhost available.
>
> 2016-07-28 23:43 GMT+02:00 Yann Ylavic <yl...@gmail.com>:
>
>> On Thu, Jul 28, 2016 at 10:00 PM, Michele Mase' <mi...@gmail.com>
>> wrote:
>> >
>> > Any suggestion?
>>
>> Ciphers must be negotiated before HTTP is decrypted (and hence vhost
>> selection can happen).
>> With SSLHonorCipherOrder off, the negotiated cipher is probably
>> RC4-SHA (the one preferred by the client).
>> With SSLHonorCipherOrder on, the negotiated cipher is probably an
>> ECDHE one (preferred by the server), which the old java also support
>> but to some extent (eg. DH <= 1024, see
>> https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh).
>>
>> Anyway, since you still want stronger ciphers for the other
>> clients/vhosts, why not put the legacy one on its own (different) IP
>> or port, configured with a suitable/compatible CipherSuite
>> (CipherOrder shouldn't matter here) ?
>>
>> Regards,
>> Yann.
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> --
> *Daniel Ferradal*
> IT Specialist
>
> email dferradal at gmail.com
> linkedin es.linkedin.com/in/danielferradal
>
Re: [users@httpd] SSLHonorCipherOrder not working as expected
Posted by Daniel <df...@gmail.com>.
Follow Yann's advice, probably your only option is to set different ip for
the virtualhost for this client, most probably Java 1.4 does not support
TLS SNI either so using namedvirtualhosts with SSL for this client will
always land you in the first ssl virtualhost available.
2016-07-28 23:43 GMT+02:00 Yann Ylavic <yl...@gmail.com>:
> On Thu, Jul 28, 2016 at 10:00 PM, Michele Mase' <mi...@gmail.com>
> wrote:
> >
> > Any suggestion?
>
> Ciphers must be negotiated before HTTP is decrypted (and hence vhost
> selection can happen).
> With SSLHonorCipherOrder off, the negotiated cipher is probably
> RC4-SHA (the one preferred by the client).
> With SSLHonorCipherOrder on, the negotiated cipher is probably an
> ECDHE one (preferred by the server), which the old java also support
> but to some extent (eg. DH <= 1024, see
> https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh).
>
> Anyway, since you still want stronger ciphers for the other
> clients/vhosts, why not put the legacy one on its own (different) IP
> or port, configured with a suitable/compatible CipherSuite
> (CipherOrder shouldn't matter here) ?
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
*Daniel Ferradal*
IT Specialist
email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal
Re: [users@httpd] SSLHonorCipherOrder not working as expected
Posted by Yann Ylavic <yl...@gmail.com>.
On Thu, Jul 28, 2016 at 10:00 PM, Michele Mase' <mi...@gmail.com> wrote:
>
> Any suggestion?
Ciphers must be negotiated before HTTP is decrypted (and hence vhost
selection can happen).
With SSLHonorCipherOrder off, the negotiated cipher is probably
RC4-SHA (the one preferred by the client).
With SSLHonorCipherOrder on, the negotiated cipher is probably an
ECDHE one (preferred by the server), which the old java also support
but to some extent (eg. DH <= 1024, see
https://httpd.apache.org/docs/current/ssl/ssl_faq.html#javadh).
Anyway, since you still want stronger ciphers for the other
clients/vhosts, why not put the legacy one on its own (different) IP
or port, configured with a suitable/compatible CipherSuite
(CipherOrder shouldn't matter here) ?
Regards,
Yann.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLHonorCipherOrder not working as expected
Posted by Michele Mase' <mi...@gmail.com>.
True. Unluckily I cannot change the app, and obviously the app must work (I
know, it's a silly thing).
The problem in short:
Legacy java webapp axis based bla bla bla ... (it does some post actions)
works with the following:
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
SSLHonorCipherOrder off
Legacy java webapp axis based bla bla bla ... (it does some post actions)
does not work with the following:
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
SSLHonorCipherOrder On
I cannot change the Directive SSLHonorCipherOrder when it is in a
virtualhost other than main server
So:
SSLHonorCipherOrder off in main server, the java web app works in every
virtualhost
SSLHonorCipherOrder on in main server, the java web app doesn't work in any
other virtualhost even in those with the directive turned off. It seems the
directive is being ignored.
I hope this explanation will be better than the first one.
Any suggestion?
On Thu, Jul 28, 2016 at 5:31 PM, Daniel <df...@gmail.com> wrote:
> This has nothing to do with sslhonorcipherorder
>
> Java 1.4 certainly does not support any ecdhe cipher and even less
> anything greater than tlv1.0 if I remember correctly.
>
> Java even tends to accept ciphers it can't deal later on once the ssl
> negotiation has started
>
> So,for such a dated client you should stick to tlsv1.0 max and RSA ciphers
> for the time being.
>
> It will be better if you check Java 1.4 compatibility table to know which
> ciphers will work or not and not enable the most insecure ones you are
> enabling right now.
>
> Either that or migrate your client to a recent Java version
>
> El 28/7/2016 4:36 p. m., "Michele Mase'" <mi...@gmail.com>
> escribió:
>
>> I've a reverse proxy based on apache 2.2.x (centos6.x) with soma name
>> based virtualhosts; trying to connect with an old app axis and java1.4.2.x
>> based, it only works with the following configuration:
>>
>> SSLProtocol ALL -SSLv2 -SSLv3
>> SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
>> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
>> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
>> SSLHonorCipherOrder off #Default
>>
>> Turning SSLHonorCipherOrder On it doesn't work, I receive an error tls
>> internal error 80.
>> An internal error unrelated to the peer or the correctness of the
>> protocol makes it impossible to continue, such as a memory allocation
>> failure. The error is not related to protocol. This message is always fatal.
>>
>> Following the SSLHonorCipherOrder directive: you can set in
>> server config and virtual host, but it seems not to work.
>>
>> The problem:
>> If I set it on in the main server (or the first virtualhost), I cannot
>> deactivate it in the second virtualhost.
>> The same If I set it of in the main server (or the first virtualhost) and
>> I want to activate it in the second virtualhost. I cannot.
>>
>> Could It be a bug or it is made by design?
>> How could I set the SSLHonorCipherOrder directive per virtualhost?
>>
>> Regards
>> Michele Masè
>>
>
Re: [users@httpd] SSLHonorCipherOrder not working as expected
Posted by Daniel <df...@gmail.com>.
This has nothing to do with sslhonorcipherorder
Java 1.4 certainly does not support any ecdhe cipher and even less anything
greater than tlv1.0 if I remember correctly.
Java even tends to accept ciphers it can't deal later on once the ssl
negotiation has started
So,for such a dated client you should stick to tlsv1.0 max and RSA ciphers
for the time being.
It will be better if you check Java 1.4 compatibility table to know which
ciphers will work or not and not enable the most insecure ones you are
enabling right now.
Either that or migrate your client to a recent Java version
El 28/7/2016 4:36 p. m., "Michele Mase'" <mi...@gmail.com> escribió:
> I've a reverse proxy based on apache 2.2.x (centos6.x) with soma name
> based virtualhosts; trying to connect with an old app axis and java1.4.2.x
> based, it only works with the following configuration:
>
> SSLProtocol ALL -SSLv2 -SSLv3
> SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384
> EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH
> EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS +RC4 RC4"
> SSLHonorCipherOrder off #Default
>
> Turning SSLHonorCipherOrder On it doesn't work, I receive an error tls
> internal error 80.
> An internal error unrelated to the peer or the correctness of the protocol
> makes it impossible to continue, such as a memory allocation failure. The
> error is not related to protocol. This message is always fatal.
>
> Following the SSLHonorCipherOrder directive: you can set in
> server config and virtual host, but it seems not to work.
>
> The problem:
> If I set it on in the main server (or the first virtualhost), I cannot
> deactivate it in the second virtualhost.
> The same If I set it of in the main server (or the first virtualhost) and
> I want to activate it in the second virtualhost. I cannot.
>
> Could It be a bug or it is made by design?
> How could I set the SSLHonorCipherOrder directive per virtualhost?
>
> Regards
> Michele Masè
>