Mailing List Archive: VirtualHost and SSLProtocol settings ignored.

VirtualHost and SSLProtocol settings ignored.

Oct 14, 2020, 1:56 AM

Post #1 of 5 (380 views)

Hello,

I have a virtualhost where i need to allow only TLSv1.2.

Tried following config:

<VirtualHost *:443>
? ServerName xxxxxx
? ServerAlias xxxxxx
..
..? cut rest to shorten a bit
..
? SSLEngine On
? SSLProtocol -all +TLSv1.2
? SSLCertificateFile /etc/letsencrypt/live/xxxxx/cert.pem
? SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx/privkey.pem
? SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx/chain.pem
</VirtualHost>

But when I do a test with "nmap --script ssl-enum-ciphers -p 443
URLofSite | grep TLSv" I always see that TLSv1.1 is still activated.
Also tested with other tools like ssllabs.com....
As found on serverfault.com I tried the following directive too but
without success: |

|??? SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"|

|Seems that the generic config file in /etc/httpd/conf.d/ssl.conf always
overrides my settings in the virtualhost?

Thanks for any help,
Thomas

Re: VirtualHost and SSLProtocol settings ignored. [ In reply to ]

thomas at plant

Oct 14, 2020, 2:01 AM

Post #2 of 5 (380 views)

Permalink

Am 14.10.2020 um 10:56 schrieb Thomas Plant:
> Hello,
>
> I have a virtualhost where i need to allow only TLSv1.2.
>
> Tried following config:
>
> <VirtualHost *:443>
> ? ServerName xxxxxx
> ? ServerAlias xxxxxx
> ..
> ..? cut rest to shorten a bit
> ..
> ? SSLEngine On
> ? SSLProtocol -all +TLSv1.2
> ? SSLCertificateFile /etc/letsencrypt/live/xxxxx/cert.pem
> ? SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx/privkey.pem
> ? SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx/chain.pem
> </VirtualHost>
>
> But when I do a test with "nmap --script ssl-enum-ciphers -p 443
> URLofSite | grep TLSv" I always see that TLSv1.1 is still activated.
> Also tested with other tools like ssllabs.com....
> As found on serverfault.com I tried the following directive too but
> without success: |
>
> |??? SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"|
>
> |Seems that the generic config file in /etc/httpd/conf.d/ssl.conf
> always overrides my settings in the virtualhost?
>
> Thanks for any help,
> Thomas
Sorry, forgot to post essential Information: httpd is version 2.4.46
from ius repo. OS is CentOS 7.

Re: VirtualHost and SSLProtocol settings ignored. [ In reply to ]

stefan.eissing at greenbytes

Oct 14, 2020, 2:29 AM

Post #3 of 5 (380 views)

Permalink

There has been work done by Ylavic regarding this. I do not known in which release his changes made it.

However, up to then, certain SSL* configs did only apply from the _first_ VirtuaLHost for a given port. Subsequent declarations in other vhosts had no effect. (This is probably all historical from the time before SNI was used everywhere.)

- Stefan

> Am 14.10.2020 um 10:56 schrieb Thomas Plant <thomas@plant.systems>:
>
> Hello,
>
> I have a virtualhost where i need to allow only TLSv1.2.
>
> Tried following config:
>
> <VirtualHost *:443>
> ServerName xxxxxx
> ServerAlias xxxxxx
> ..
> .. cut rest to shorten a bit
> ..
> SSLEngine On
> SSLProtocol -all +TLSv1.2
> SSLCertificateFile /etc/letsencrypt/live/xxxxx/cert.pem
> SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxx/privkey.pem
> SSLCertificateChainFile /etc/letsencrypt/live/xxxxxx/chain.pem
> </VirtualHost>
>
> But when I do a test with "nmap --script ssl-enum-ciphers -p 443 URLofSite | grep TLSv" I always see that TLSv1.1 is still activated. Also tested with other tools like ssllabs.com....
> As found on serverfault.com I tried the following directive too but without success:
>
> SSLOpenSSLConfCmd Protocol "-ALL, TLSv1.2"
>
> Seems that the generic config file in /etc/httpd/conf.d/ssl.conf always overrides my settings in the virtualhost?
>
> Thanks for any help,
> Thomas

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: VirtualHost and SSLProtocol settings ignored. [ In reply to ]

thomas at plant

Oct 14, 2020, 2:47 AM

Post #4 of 5 (380 views)

Permalink

Thanks for the explanation.
I've read that using a dedicated IP for the Virtualhost would work?

Am 14.10.2020 um 11:29 schrieb Stefan Eissing:
> There has been work done by Ylavic regarding this. I do not known in which release his changes made it.
>
> However, up to then, certain SSL* configs did only apply from the _first_ VirtuaLHost for a given port. Subsequent declarations in other vhosts had no effect. (This is probably all historical from the time before SNI was used everywhere.)
>
> - Stefan
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: VirtualHost and SSLProtocol settings ignored. [ In reply to ]

stefan.eissing at greenbytes

Oct 14, 2020, 3:20 AM

Post #5 of 5 (380 views)

Permalink

It could be that they match more strongly and surpass the file order. But I guess it will then switch all vhosts to TLSv1.2.

> Am 14.10.2020 um 11:47 schrieb Thomas Plant <thomas@plant.systems>:
>
> Thanks for the explanation.
> I've read that using a dedicated IP for the Virtualhost would work?
>
> Am 14.10.2020 um 11:29 schrieb Stefan Eissing:
>> There has been work done by Ylavic regarding this. I do not known in which release his changes made it.
>>
>> However, up to then, certain SSL* configs did only apply from the _first_ VirtuaLHost for a given port. Subsequent declarations in other vhosts had no effect. (This is probably all historical from the time before SNI was used everywhere.)
>>
>> - Stefan
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org