Hi,
In my lab's :
serv:
<VirtualHost *:443>
...
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
SSLProtocol -All +SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 ###( I added
TLSv1.2 to test)
...
client:
#curl https://w1 --insecure --tlsv1.0
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol
#curl https://w1 --insecure --tlsv1.1
curl: (35) error:14077102:SSL
routines:SSL23_GET_SERVER_HELLO:unsupported protocol
#curl https://w1 --insecure --tlsv1.2
<html><body><h1>It works!</h1>
<p>This is the default web page for this server.</p>
<p>The web server software is running but no content has been added, yet.</p>
</body></html>
It's ok.
On Tue, Jun 16, 2015 at 7:57 PM, karl karloff <karlkarloff@xxxxxxxxxxx> wrote:
> I must have mistyped my config.
>
> Assuming a config such as the following
> <VirtualHost sslv3.example.com:443>
> SSLProtocol -All +SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
> ...
>
> If I restart apache, and then try to test that (the --insecure is for a self-signed cert):
>
> $ curl https://sslv3.example.com --insecure --tlsv1.0
> <html><body><h1>It works!</h1></body></html>
>
> Shouldn't it fail and not negotiate that?
>
> Thanks,
> Karl
>
> ----------------------------------------
>> Date: Tue, 16 Jun 2015 11:17:22 +0200
>> From: sarkofage77@xxxxxxxxx
>> To: users@xxxxxxxxxxxxxxxx
>> Subject: Re: VirtualHosts, SSLProtocol, and SSLCipherSuite
>>
>> Hi,
>>
>> Have you tested with the "+"?
>>
>> from docs :
>> Syntax:SSLProtocol [+|-]protocol ...
>>
>> ex :
>> <VirtualHost www.example.com:443>
>> SSLProtocol +TLSv1.2
>> ...
>> </VirtualHost>
>> <VirtualHost old.example.com:443>
>> SSLProtocol +SSLv3
>> ...
>> </VirtualHost>
>>
>>
>>
>> On Tue, Jun 16, 2015 at 12:37 AM, karl karloff <karlkarloff@xxxxxxxxxxx> wrote:
>>> Is there a way in the current Apache (2.4.x or 2.2.x) to specify an SSLProtocol and SSLCipherSuite that affects only a singular VirtualHost?
>>>
>>> e.g.
>>> www.example.com requires modern encryption (i.e. TLSv1.2)
>>> old.example.com allows only deprecated Protocols/ciphers (e.g. SSLv3)
>>>
>>> I tried using something like
>>>
>>> <VirtualHost www.example.com:443>
>>> SSLProtocol TLSv1.2
>>> ...
>>> </VirtualHost>
>>> <VirtualHost old.example.com:443>
>>> SSLProtocol SSLv3
>>> ...
>>> </VirtualHost>
>>>
>>> however it seems that the SSLProtocol directive is not honored inside a VirtualHost section.
>>>
>>> Is there a way to configure this properly so that individual VirtualHosts honor only the specified protocols? Can the same method be used for SSLCipherSuite?
>>>
>>> Thanks,
>>> Karl
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|