Re: Problem with httpd and openssl on NetBSD-7.1
Gary Duzan wrote: > In Message <10926.1493743...@secondfloor.xyz>, >Christopher Pinon wrote: > > =>J. Lewis Muir wrote: > => > =>> On 05/02, Christopher Pinon wrote: > =>> > By the way, another (easier) question about httpd: is there a way for > =>> > httpd to listen to both plain http (port 80) requests and https (port > =>> > 443) requests? (Like apache.) At the moment, as far as I can tell, it's > =>> > either or, depending on whether or not '-Z ...' is set. > =>> > =>> I've not tried, but can't you just run two instances of it: one > =>> listening on port 80 and the other listening on port 443? > => > =>Thanks, Lewis: indeed, this works. :-) I guess that I was focused on > =>doing this from /etc/rc.conf, but for no good reason, really. Am > =>beginning to warm up to httpd after a long time with apache! > >You still can use rc.conf, if you'd like. Copy /etc/rc.d/httpd > to /etc/rc.d/httpsd (or something like that), and tweak the copy > to have a different name, rcvar, and command_args. Then you can > specify httpsd=YES in /etc/rc.conf, along with other variables you > need for command_args. Thanks, Gary, good point, that would surely work. I guess that I was instinctively looking for a more minimalist solution, and what seems to work is that I start one instance (in my case, the SSL-instance) of httpd in /etc/rc.conf (as I was doing) and the other (non-SSL) instance is handled by inetd (I had to modify /etc/inetd.conf for this). This has the minor advantage (in addition to less configuring!) that the non-SSL instance of httpd is only started when needed. It seems to work. :-) C.
Re: Problem with httpd and openssl on NetBSD-7.1
In Message <10926.1493743...@secondfloor.xyz>, Christopher Pinon wrote: =>J. Lewis Muir wrote: => =>> On 05/02, Christopher Pinon wrote: =>> > By the way, another (easier) question about httpd: is there a way for =>> > httpd to listen to both plain http (port 80) requests and https (port =>> > 443) requests? (Like apache.) At the moment, as far as I can tell, it's =>> > either or, depending on whether or not '-Z ...' is set. =>> =>> I've not tried, but can't you just run two instances of it: one =>> listening on port 80 and the other listening on port 443? => =>Thanks, Lewis: indeed, this works. :-) I guess that I was focused on =>doing this from /etc/rc.conf, but for no good reason, really. Am =>beginning to warm up to httpd after a long time with apache! You still can use rc.conf, if you'd like. Copy /etc/rc.d/httpd to /etc/rc.d/httpsd (or something like that), and tweak the copy to have a different name, rcvar, and command_args. Then you can specify httpsd=YES in /etc/rc.conf, along with other variables you need for command_args. Gary Duzan
Re: Problem with httpd and openssl on NetBSD-7.1
J. Lewis Muir wrote: > On 05/02, Christopher Pinon wrote: > > By the way, another (easier) question about httpd: is there a way for > > httpd to listen to both plain http (port 80) requests and https (port > > 443) requests? (Like apache.) At the moment, as far as I can tell, it's > > either or, depending on whether or not '-Z ...' is set. > > I've not tried, but can't you just run two instances of it: one > listening on port 80 and the other listening on port 443? Thanks, Lewis: indeed, this works. :-) I guess that I was focused on doing this from /etc/rc.conf, but for no good reason, really. Am beginning to warm up to httpd after a long time with apache! C.
Re: Problem with httpd and openssl on NetBSD-7.1
On 05/02, Christopher Pinon wrote: > By the way, another (easier) question about httpd: is there a way for > httpd to listen to both plain http (port 80) requests and https (port > 443) requests? (Like apache.) At the moment, as far as I can tell, it's > either or, depending on whether or not '-Z ...' is set. I've not tried, but can't you just run two instances of it: one listening on port 80 and the other listening on port 443? Lewis
Re: Problem with httpd and openssl on NetBSD-7.1
Aaron B. wrote: > That cipher list is the only one I've found that allows for HTTP/2, > compatibility with older clients, and hitting an A+ on ssllabs.com all > at once. Everything I've done tinkering on my own could only hit two of > those three goals. > > Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But > that cipher list is still works great and that's why I recommend it to > everyone. Indeed, it's a good list. > I've always assumed that having a good enough OpenSSL version and > simply enabling the proper cipher would turn on Perfect Forward > Secrecy; however I wouldn't be surprised to be proven wrong. Code may > still need to be modified. I had the same working assumption, but then the choice of that cipher list should enable PFS (because the higher ciphers listed support PFS), and yet this doesn't happen, which I can only assume is due to the web server software (= httpd). In fact, this is also what the warning message from ssllabs.com indicates, namely, that the server doesn't support PFS. > Forward Secrecy only guards against your private key being discovered. > Your data will still be secure without it, assuming you follow safe > practices with the key. > > Getting PFS enabled is a worthwhile thing to do. However I believe > if bozohttpd is good enough for what you are doing, you will be safe > enough with a mere A-minus rating. If you really need an A or A-plus, > there's always nginx. Yes. :-) At the beginning, Firefox was the real issue, not the A-, and now that the Firefox issue is resolved, the A- is fine for practical purposes. By the way, another (easier) question about httpd: is there a way for httpd to listen to both plain http (port 80) requests and https (port 443) requests? (Like apache.) At the moment, as far as I can tell, it's either or, depending on whether or not '-Z ...' is set. Thanks again. C.
Re: Problem with httpd and openssl on NetBSD-7.1
On Tue, 02 May 2017 00:32:50 +0200 Christopher Pinon wrote: > Jeff, thanks for the reminder of that man page. I've just tried '-z > ALL', which similarly makes Firefox happy, but unfortunately, the score > that I then get at ssllabs.com drops to B. :-( In this respect, the > explicit listing that Aaron referred me to is more successful, because > the score in this case is A-. > That cipher list is the only one I've found that allows for HTTP/2, compatibility with older clients, and hitting an A+ on ssllabs.com all at once. Everything I've done tinkering on my own could only hit two of those three goals. Bozohttpd doesn't support HTTP/2, so that point isn't achievable. But that cipher list is still works great and that's why I recommend it to everyone. > I've now begun to suspect that httpd doesn't (yet?) support a cipher > suite with Forward Secrecy (this is the obstacle to a score of A), but > it would be great if someone could confirm this suspicion. > I've always assumed that having a good enough OpenSSL version and simply enabling the proper cipher would turn on Perfect Forward Secrecy; however I wouldn't be surprised to be proven wrong. Code may still need to be modified. Forward Secrecy only guards against your private key being discovered. Your data will still be secure without it, assuming you follow safe practices with the key. Getting PFS enabled is a worthwhile thing to do. However I believe if bozohttpd is good enough for what you are doing, you will be safe enough with a mere A-minus rating. If you really need an A or A-plus, there's always nginx. -- Aaron B.
Re: Problem with httpd and openssl on NetBSD-7.1
j...@sdf.org wrote: > +1 on the thanks - my bozohttpd+SSL seemingly stopped working with firefox > several years ago and after fiddling around with it for a day w/o success > I dropped the encryption as it was a LAN-only setup. I guess I misunderstood > the man-page WRT the -Z option; "It also causes bozohttpd to start SSL > mode" seemed to suggest there wasn't anything else needed since one > generally expects the browser to do the negotiations for you. > > For anyone else: look at CIPHER LIST FORMAT in openssl_ciphers(1) for > cipher string format. I just used '-z ALL' as I don't really care about > the particulars and I'm using a self-signed cert. Jeff, thanks for the reminder of that man page. I've just tried '-z ALL', which similarly makes Firefox happy, but unfortunately, the score that I then get at ssllabs.com drops to B. :-( In this respect, the explicit listing that Aaron referred me to is more successful, because the score in this case is A-. I've now begun to suspect that httpd doesn't (yet?) support a cipher suite with Forward Secrecy (this is the obstacle to a score of A), but it would be great if someone could confirm this suspicion. C.
Re: Problem with httpd and openssl on NetBSD-7.1
Christopher Pinon wrote: > Aaron B. wrote: > > > On Mon, 01 May 2017 13:20:17 +0200 > > Christopher Pinon wrote: > > > > > - When I try to connect to my site via https using Firefox, Firefox > > > gives the error message: "Cannot communicate securely with peer: no > > > common encryption algorithm(s). Error code: > > > SSL_ERROR_NO_CYPHER_OVERLAP" > > > > There's your problem here; Firefox and httpd can't find a common > > algorithm. > > > > Try explicity setting a cipher list in httpd; according to the man page > > '-z' should do it... > > > > Thanks, Aaron, explicitly setting this list solved the Firefox problem! > .. > +1 on the thanks - my bozohttpd+SSL seemingly stopped working with firefox several years ago and after fiddling around with it for a day w/o success I dropped the encryption as it was a LAN-only setup. I guess I misunderstood the man-page WRT the -Z option; "It also causes bozohttpd to start SSL mode" seemed to suggest there wasn't anything else needed since one generally expects the browser to do the negotiations for you. For anyone else: look at CIPHER LIST FORMAT in openssl_ciphers(1) for cipher string format. I just used '-z ALL' as I don't really care about the particulars and I'm using a self-signed cert. Jeff
Re: Problem with httpd and openssl on NetBSD-7.1
Aaron B. wrote: > On Mon, 01 May 2017 13:20:17 +0200 > Christopher Pinon wrote: > > > - When I try to connect to my site via https using Firefox, Firefox > > gives the error message: "Cannot communicate securely with peer: no > > common encryption algorithm(s). Error code: > > SSL_ERROR_NO_CYPHER_OVERLAP" > > There's your problem here; Firefox and httpd can't find a common > algorithm. > > Try explicity setting a cipher list in httpd; according to the man page > '-z' should do it. I recommend starting Cloudflare's cipher list as this > quickly gets very complicated and annoying. > > https://support.cloudflare.com/hc/en-us/articles/200933580-What-cipher-suites-does-Cloudflare-use-for-SSL- Thanks, Aaron, explicitly setting this list solved the Firefox problem! The SSL Server Test of ssllabs.com still gives me a score of A-, because the lack of Forward Secrecy is apparently still an issue, but now it's at least clear that the Firefox problem wasn't caused by the lack of Forward Secrecy per se. C.
Re: Problem with httpd and openssl on NetBSD-7.1
On Mon, 01 May 2017 13:20:17 +0200 Christopher Pinon wrote: > - When I try to connect to my site via https using Firefox, Firefox > gives the error message: "Cannot communicate securely with peer: no > common encryption algorithm(s). Error code: > SSL_ERROR_NO_CYPHER_OVERLAP" > There's your problem here; Firefox and httpd can't find a common algorithm. Try explicity setting a cipher list in httpd; according to the man page '-z' should do it. I recommend starting Cloudflare's cipher list as this quickly gets very complicated and annoying. https://support.cloudflare.com/hc/en-us/articles/200933580-What-cipher-suites-does-Cloudflare-use-for-SSL- -- Aaron B.
Problem with httpd and openssl on NetBSD-7.1
Hi, I'm using NetBSD-7.1 (i386) and am trying to get (bozo)httpd (in the base) and openssl to work well together. My certificates are from Let's Encrypt: they're fine (I also use them for secure mail connections). Here's what I'm experiencing with httpd: - When I try to connect to my site via https using Firefox, Firefox gives the error message: "Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP" - However, using the SSL Checker of sslshopper.com, everything seems okay (four green checkmarks, no warnings). - Using the SSL Server Test of ssllabs.com, I get an overall rating of A- with the remark: "The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-." The detailed report also confirms that any recent version of Firefox will fail: "Server sent fatal alert: handshake_failure" My conclusion is that the lack of Forward Secrecy is the culprit here. What I don't know is whether there's anything that I can do about this. Two questions: (i) Can anyone reproduce this behavior? (ii) Is there an easy way to solve this problem? (Short of using another web server!) Any feedback would be appreciated! C.