Aw: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
I had the in the context, where also the SSLCipherSuite is defined. As I understand, the Clients jumps in the Virtualhost context before TLS handshake because of SNI, so it should be theoretically possible to process the in the virtualhost context before handshake. But I had old non-SNI-cpable clients, too, so that would not have worked either, with non-SNI I guess you are right. We will do now another way to get the old clients out of the way to be able to disable old weak ciphers in the vhost. Thank you. > Gesendet: Donnerstag, 25. Februar 2021 um 12:40 Uhr > Von: "Yann Ylavic" > An: users@httpd.apache.org > Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP > > On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: > > > > I thought about something like that as cause, but since the client IP is > > known from the very first start of the request, before TLS handshake, I > > thought it could be evaluated. > > Yes but to determine the context from which the takes place > (VirtualHost, directory, location..), the server needs to know the > request header, thus negotiate TLS with the user-agent already. > Chicken and egg.. > > Regards; > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Aw: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
SSLCipherSuite -all:MD5 is served by Apache (at least with old Ubuntu 14) as expected. Get's s F rating on https://www.ssllabs.com/ssltest/ though :) Nevermind, that SSLCipherSuite was just an example, I should have taken one that is really used, to prevent complication. Gesendet: Donnerstag, 25. Februar 2021 um 13:55 Uhr Von: "Brian Wolfe" An: users@httpd.apache.org Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP The question is if the "If/Else" block is being evaluated. I suspect it is, but the selected CipherSuites are not available and therefore the global setting is used to negotiate. On Thu, Feb 25, 2021 at 7:50 AM Yann Ylavic <ylavic@gmail.com> wrote: On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe <wolfebrian2...@gmail.com> wrote: > > Are you sure that you have any MD5 ciphers enabled. Wrong thread? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/ - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
The question is if the "If/Else" block is being evaluated. I suspect it is, but the selected CipherSuites are not available and therefore the global setting is used to negotiate. On Thu, Feb 25, 2021 at 7:50 AM Yann Ylavic wrote: > On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe > wrote: > > > > Are you sure that you have any MD5 ciphers enabled. > > Wrong thread? > > Regards; > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe wrote: > > Are you sure that you have any MD5 ciphers enabled. Wrong thread? Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Are you sure that you have any MD5 ciphers enabled. Most of them are disabled nowadays. For example on my OSX I only have 1 MD5 available: :~ $ openssl ciphers -v ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384 ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384 ECDHE-RSA-AES256-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD GOST2012256-GOST89-GOST89 SSLv3 Kx=GOST Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA256 DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1 GOST2001-GOST89-GOST89 SSLv3 Kx=GOST Au=GOST01 Enc=GOST-28178-89-CNT Mac=GOST89IMIT AES256-GCM-SHA384 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(256) Mac=AEAD AES256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA256 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 CAMELLIA256-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA256 CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256 ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256 ECDHE-RSA-AES128-SHASSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA256 DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1 AES128-GCM-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AESGCM(128) Mac=AEAD AES128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA256 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 CAMELLIA128-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA256 CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1 ECDHE-RSA-RC4-SHA SSLv3 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 On Thu, Feb 25, 2021 at 6:46 AM Yann Ylavic wrote: > On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: > > > > I thought about something like that as cause, but since the client IP is > known from the very first start of the request, before TLS handshake, I > thought it could be evaluated. > > Yes but to determine the context from which the takes place > (VirtualHost, directory, location..), the server needs to know the > request header, thus negotiate TLS with the user-agent already. > Chicken and egg.. > > Regards; > Yann. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > -- Thanks, Brian Wolfe https://www.linkedin.com/in/brian-wolfe-3136425a/
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: > > I thought about something like that as cause, but since the client IP is > known from the very first start of the request, before TLS handshake, I > thought it could be evaluated. Yes but to determine the context from which the takes place (VirtualHost, directory, location..), the server needs to know the request header, thus negotiate TLS with the user-agent already. Chicken and egg.. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote: [...] > Could it be possible another way to give clients of a specific vHost > different SSLCipherSuite's depending on their IP address? (cipher of first > handshake, no renegotiation) You can work around this by setting up a separate vhost on a different port or IP and redirect the incoming traffic using the firewall/NAT tools supplied with your OS. Under Linux, something similar to the following might work: iptables -t nat -A PREROUTING -p tcp -s 1.2.3.0/24 --dport 80 -j REDIRECT --to 8080 regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Aw: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
Thank you very much Eric, for your quick response and explanation. Do you have a source for it (aside of the source code ;) ? I thought about something like that as cause, but since the client IP is known from the very first start of the request, before TLS handshake, I thought it could be evaluated. Could it be possible another way to give clients of a specific vHost different SSLCipherSuite's depending on their IP address? (cipher of first handshake, no renegotiation) > Gesendet: Mittwoch, 24. Februar 2021 um 14:26 Uhr > Von: "Eric Covener" > An: users@httpd.apache.org > Betreff: Re: [users@httpd] Set SSLCipherSuite dependent on client IP > > > Why does this not work? > > is evaluated early in request processing, long after the > handshake. However, the manual says: > In per-directory context it forces a SSL renegotiation with the > reconfigured Cipher Suite after the HTTP request was read but before > the HTTP response is sent. > > I suggest testing w/o TLS13 and testing the equivalent config with > or to see if renegotiation occurs w/o . > You will have to carefully look for the final cipher. > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Set SSLCipherSuite dependent on client IP
> Why does this not work? is evaluated early in request processing, long after the handshake. However, the manual says: In per-directory context it forces a SSL renegotiation with the reconfigured Cipher Suite after the HTTP request was read but before the HTTP response is sent. I suggest testing w/o TLS13 and testing the equivalent config with or to see if renegotiation occurs w/o . You will have to carefully look for the final cipher. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org