RE: VirtualHosts, SSLProtocol, and SSLCipherSuite

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I must have mistyped my config.

Assuming a config such as the following
<VirtualHost sslv3.example.com:443>
SSLProtocol     -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
...

If I restart apache, and then try to test that (the --insecure is for a self-signed cert):

$ curl https://sslv3.example.com --insecure --tlsv1.0
<html><body><h1>It works!</h1></body></html>

Shouldn't it fail and not negotiate that?

Thanks,
Karl

----------------------------------------
> Date: Tue, 16 Jun 2015 11:17:22 +0200
> From: sarkofage77@xxxxxxxxx
> To: users@xxxxxxxxxxxxxxxx
> Subject: Re:  VirtualHosts, SSLProtocol, and SSLCipherSuite
>
> Hi,
>
> Have you tested with the "+"?
>
> from docs :
> Syntax:SSLProtocol [+|-]protocol ...
>
> ex :
> <VirtualHost www.example.com:443>
> SSLProtocol +TLSv1.2
> ...
> </VirtualHost>
> <VirtualHost old.example.com:443>
> SSLProtocol +SSLv3
> ...
> </VirtualHost>
>
>
>
> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@xxxxxxxxxxx> wrote:
>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?
>>
>> e.g.
>> www.example.com requires modern encryption (i.e. TLSv1.2)
>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>
>> I tried using something like
>>
>> <VirtualHost www.example.com:443>
>> SSLProtocol TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol SSLv3
>> ...
>> </VirtualHost>
>>
>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.
>>
>> Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols? Can the same method be used for SSLCipherSuite?
>>
>> Thanks,
>> Karl
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
 		 	   		  
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux