[users@httpd] Reverse SSL proxy with NULL cipher on backend?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a situation in which I must run an old, insecure Apache (1.3.19, don't ask...).  The application that runs with this webserver requires SSL from the client.  Let's call this oapache.

To help secure this situation, I have built a 2.0.59 with openssl configuration on this same host.  Let's call this proxyapache.

The intent is to configure oapache to listen on the loopback only, and use proxyapache as the user-facing frontend.  For the SSL requirement reason, I use 'SSLProxyEngine on' on proxyapache.  This works fine.  I've done some trickery using /etc/hosts for hostnames so that I can even use the same certificate/key with both apaches.

Here's the request.

The above configuration uses twice the CPU that the old (using only oapache, listening to the public interface) because it's doing double the SSL work:

User <-> proxyapache
proxyapache <-> oapache

I'd like to use NULL authentication, ciphers, etc to reduce the proxyapache <-> oapache SSL overhead.  How can I configure oapache and proxyapache to use NULL for authentication, ciphers, etc?

I tried the obvious:
'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL' on oapache.  In oapache's logfiles I get:

[Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed (server oapache:8888, client proxyapache) (OpenSSL library error follows)
[Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?]

This seems to hint that I need a different kind of certificate/key file.  I tried not specifying a key/certificate file (why would I need one, for NULL everywhere?) but oapache will not start.  I also tried using /dev/null for the cert and keyfiles, oapache complains that they are empty and will not start.

So my question:
How to configure oapache and proxyapache to use SSL, with no encryption/authentication/etc?

Thanks,
Josh


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux