Mailing List Archive

Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ?
[user@ => dev@]

On Tue, Oct 22, 2019 at 9:21 AM Stefan Eissing
<stefan.eissing@greenbytes.de> wrote:
>
> > Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion <m.ion@oodrive.com>:
> >
> > I recompiled and installed the new version... but I came back quickly to the "standard" one:
> > - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> > - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
> >
> > I also use http2, I wonder if this does not also interfere with TLS...
>
> Could be an issue with connection sharing. If the browser gets the notion that your domains can be reached on the connection it has already open, a request requiring another TLS version arrives on a connection not matching it.

It seems that on (SSL-)session resumption, SSL_get_servername()
returns NULL unless one returns SSL_TLSEXT_ERR_OK (ack) in a SNI
callback (I unplugged ssl_callback_ServerNameIndication() in my
change, with OpenSSL 1.1.1+, which defaults to SSL_TLSEXT_ERR_NOACK).
I'm not sure about the rationale; why let the callback decide this?
And why on resume only? Will ask on openssl-users@.
I think one could expect SSL_get_servername() to return what's in
ClientHello, whether ack'ed or not...

Anyway, if I follow this logic and restore
ssl_callback_ServerNameIndication in any case (i.e. let openssl-1.1.1+
run it after ssl_callback_ClientHello), and make it return OK/NOACK
depending on whether we found the SNI in the configured vhosts, then I
don't get AH02033 any more (from Chrome). So I committed r1868743...
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Cheers

On Tue, 22 Oct 2019 at 12:17, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> [user@ => dev@]
>
> On Tue, Oct 22, 2019 at 9:21 AM Stefan Eissing
> <stefan.eissing@greenbytes.de> wrote:
> >
> > > Am 21.10.2019 um 22:53 schrieb Marian-Nicolae Ion <m.ion@oodrive.com>:
> > >
> > > I recompiled and installed the new version... but I came back quickly to the "standard" one:
> > > - using "curl" I have noticed that effectively I could have TLS 1.3 only on the desired virtual host and TLS 1.2+ on the others,
> > > - however, using a normal browser ("Firefox, Chromium,...) I always encountered 403, on all virtual hosts, for all resources!
> > >
> > > I also use http2, I wonder if this does not also interfere with TLS...
> >
> > Could be an issue with connection sharing. If the browser gets the notion that your domains can be reached on the connection it has already open, a request requiring another TLS version arrives on a connection not matching it.
>
> It seems that on (SSL-)session resumption, SSL_get_servername()
> returns NULL unless one returns SSL_TLSEXT_ERR_OK (ack) in a SNI
> callback (I unplugged ssl_callback_ServerNameIndication() in my
> change, with OpenSSL 1.1.1+, which defaults to SSL_TLSEXT_ERR_NOACK).
> I'm not sure about the rationale; why let the callback decide this?
> And why on resume only? Will ask on openssl-users@.
> I think one could expect SSL_get_servername() to return what's in
> ClientHello, whether ack'ed or not...
>
> Anyway, if I follow this logic and restore
> ssl_callback_ServerNameIndication in any case (i.e. let openssl-1.1.1+
> run it after ssl_callback_ClientHello), and make it return OK/NOACK
> depending on whether we found the SNI in the configured vhosts, then I
> don't get AH02033 any more (from Chrome). So I committed r1868743...
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jblond@gmail.com> wrote:
>
> There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939

Would you mind testing with both pacthes below applied:
https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
?

Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
Hi Yann,
I test the patches this week or the weekend.

Cheers
Mario

Yann Ylavic <ylavic.dev@gmail.com> schrieb am Di., 22. Okt. 2019, 14:55:

> On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jblond@gmail.com> wrote:
> >
> > There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
>
> Would you mind testing with both pacthes below applied:
>
> https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
>
> https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
> ?
>
> Regards,
> Yann.
>
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
Hi,
is there only a patch against trunk or is there one available for 2.4?

On Tue, 22 Oct 2019 at 18:34, Mario Brandt <jblond@gmail.com> wrote:
>
> Hi Yann,
> I test the patches this week or the weekend.
>
> Cheers
> Mario
>
> Yann Ylavic <ylavic.dev@gmail.com> schrieb am Di., 22. Okt. 2019, 14:55:
>>
>> On Tue, Oct 22, 2019 at 1:54 PM Mario Brandt <jblond@gmail.com> wrote:
>> >
>> > There is also https://bz.apache.org/bugzilla/show_bug.cgi?id=62939
>>
>> Would you mind testing with both pacthes below applied:
>> https://github.com/apache/httpd/commit/076e28399c7336f2b287b102a6e4e40934f2057d.patch
>> https://github.com/apache/httpd/commit/b3fb2d39727940b487765b401b763ae5ba79a4cf.patch
>> ?
>>
>> Regards,
>> Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
On Tue, Oct 22, 2019 at 8:01 PM Mario Brandt <jblond@gmail.com> wrote:
>
> is there only a patch against trunk or is there one available for 2.4?

The patches should apply just fine against latest 2.4.

Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
Hi Yann,
it was PITA so apply this patch in 2.4.41 since the code lines are
very different.
And it fails to build.

Regards
Mario

On Wed, 23 Oct 2019 at 00:01, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> On Tue, Oct 22, 2019 at 8:01 PM Mario Brandt <jblond@gmail.com> wrote:
> >
> > is there only a patch against trunk or is there one available for 2.4?
>
> The patches should apply just fine against latest 2.4.
>
> Regards,
> Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
Hi Mario,

On Wed, Oct 23, 2019 at 10:05 AM Mario Brandt <jblond@gmail.com> wrote:
>
> it was PITA so apply this patch in 2.4.41 since the code lines are
> very different.
> And it fails to build.

Sorry about that, full/single patch attached.

Regards,
Yann.
Re: [users@httpd] Is it possible to have in Apache 2.4 VirtualHosts, each with its own SSLProtocol ? [ In reply to ]
Hi Yann,
thanks a lot for that patch file.

I can confirm, that the patch works on 2.4.41

Build with

SSL 1.1.1d
HTTPD 2.4.41
APR 1.7.0
APRU 1.6.1
APRI 1.2.2
ZLIB 1.2.11
PCRE 8.43
HTTP2 1.39.2

I'd like to see that going into 2.4.next

Regards
Mario

On Wed, 23 Oct 2019 at 10:41, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>
> Hi Mario,
>
> On Wed, Oct 23, 2019 at 10:05 AM Mario Brandt <jblond@gmail.com> wrote:
> >
> > it was PITA so apply this patch in 2.4.41 since the code lines are
> > very different.
> > And it fails to build.
>
> Sorry about that, full/single patch attached.
>
> Regards,
> Yann.