How to different SSLProtocol for each of the conf files

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to different SSLProtocol for each of the conf files

chetan jain
Hi All,

We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf we have included conf.d/*.conf files which has configuration for all the virtual hosts.

In conf.d we have respective .conf file for each of the virtual hosts like : 

abc_com.conf for abc.com
xyz_com.conf for xyz.com

etc

now I want to disable the TLSv1.0 and SSLv3 request only for one of this virtual hosts, but even if i put the values like : 

SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf file TLSv1.0 and 1.1 are still enabled for xyz.com

to disable it, I have to put the same value in abc_com.conf file as well, then only it get disabled for xyz.com as well (even if i remove the paramter from xyz_com.conf in that case it is still disabled)

can't we have different SSLProtocol for different virtual hosts?

I can not disable it for all the websites, have to do it for only one of them, how can i achieve this?

any help is highly appreciated.

--Chetan Jain
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

Eric Covener
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:

> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

chetan jain
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

chetan jain
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

Luca Toscano
Hi,

we'd need to get your vhost configuration before helping further on, as Eric mentioned you have probably some overlapping but it is very difficult to debug only from your description. If you can put your configuration in https://apaste.info/ it would be great, otherwise I'd suggest to reach out to the folks in #httpd (IRC Freenode) to get some live help.

Luca


2017-07-25 6:45 GMT+02:00 chetan jain <[hidden email]>:
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

chetan jain
Hi Luca,

I have uploaded the content : 


Please review.

--Chetan

On Tue, Jul 25, 2017 at 4:17 AM, Luca Toscano <[hidden email]> wrote:
Hi,

we'd need to get your vhost configuration before helping further on, as Eric mentioned you have probably some overlapping but it is very difficult to debug only from your description. If you can put your configuration in https://apaste.info/ it would be great, otherwise I'd suggest to reach out to the folks in #httpd (IRC Freenode) to get some live help.

Luca


2017-07-25 6:45 GMT+02:00 chetan jain <[hidden email]>:
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

Luca Toscano
As Eric pointed out earlier on:

> The file names don't matter very much. What matters is whether they
> are separate IP:PORT based vhosts. If they're not, they can't have
> separate SSL configurations.

In all files you have <VirtualHost *:443> and you use a different ServerName to differentiate. I am not a big expert but I believe that what Eric is saying is that if you want to use a different SSL configuration on one VirtualHost you can with the constraint that the IP:PORT (stated in <VirtualHost IP:PORT>) is unique and not used in another VirtualHost block. 

Luca

2017-07-25 12:01 GMT+02:00 chetan jain <[hidden email]>:
Hi Luca,

I have uploaded the content : 


Please review.

--Chetan

On Tue, Jul 25, 2017 at 4:17 AM, Luca Toscano <[hidden email]> wrote:
Hi,

we'd need to get your vhost configuration before helping further on, as Eric mentioned you have probably some overlapping but it is very difficult to debug only from your description. If you can put your configuration in https://apaste.info/ it would be great, otherwise I'd suggest to reach out to the folks in #httpd (IRC Freenode) to get some live help.

Luca


2017-07-25 6:45 GMT+02:00 chetan jain <[hidden email]>:
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

chetan jain
Thanks for the Reploy Luca.

so i shall be listing all the possible IP:port in the virtualhost.conf file instead of just *:443 and that should make this work.

Let me try this out.

--Chetan

On Tue, Jul 25, 2017 at 6:16 AM, Luca Toscano <[hidden email]> wrote:
As Eric pointed out earlier on:

> The file names don't matter very much. What matters is whether they
> are separate IP:PORT based vhosts. If they're not, they can't have
> separate SSL configurations.

In all files you have <VirtualHost *:443> and you use a different ServerName to differentiate. I am not a big expert but I believe that what Eric is saying is that if you want to use a different SSL configuration on one VirtualHost you can with the constraint that the IP:PORT (stated in <VirtualHost IP:PORT>) is unique and not used in another VirtualHost block. 

Luca

2017-07-25 12:01 GMT+02:00 chetan jain <[hidden email]>:
Hi Luca,

I have uploaded the content : 


Please review.

--Chetan

On Tue, Jul 25, 2017 at 4:17 AM, Luca Toscano <[hidden email]> wrote:
Hi,

we'd need to get your vhost configuration before helping further on, as Eric mentioned you have probably some overlapping but it is very difficult to debug only from your description. If you can put your configuration in https://apaste.info/ it would be great, otherwise I'd suggest to reach out to the folks in #httpd (IRC Freenode) to get some live help.

Luca


2017-07-25 6:45 GMT+02:00 chetan jain <[hidden email]>:
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to different SSLProtocol for each of the conf files

chetan jain
I tried it with the host port combination and somehow the web page does not come up at all, could not keep it that way for longer period to troubleshoot it as it was being used.

--Chetan

On Tue, Jul 25, 2017 at 6:21 AM, chetan jain <[hidden email]> wrote:
Thanks for the Reploy Luca.

so i shall be listing all the possible IP:port in the virtualhost.conf file instead of just *:443 and that should make this work.

Let me try this out.

--Chetan

On Tue, Jul 25, 2017 at 6:16 AM, Luca Toscano <[hidden email]> wrote:
As Eric pointed out earlier on:

> The file names don't matter very much. What matters is whether they
> are separate IP:PORT based vhosts. If they're not, they can't have
> separate SSL configurations.

In all files you have <VirtualHost *:443> and you use a different ServerName to differentiate. I am not a big expert but I believe that what Eric is saying is that if you want to use a different SSL configuration on one VirtualHost you can with the constraint that the IP:PORT (stated in <VirtualHost IP:PORT>) is unique and not used in another VirtualHost block. 

Luca

2017-07-25 12:01 GMT+02:00 chetan jain <[hidden email]>:
Hi Luca,

I have uploaded the content : 


Please review.

--Chetan

On Tue, Jul 25, 2017 at 4:17 AM, Luca Toscano <[hidden email]> wrote:
Hi,

we'd need to get your vhost configuration before helping further on, as Eric mentioned you have probably some overlapping but it is very difficult to debug only from your description. If you can put your configuration in https://apaste.info/ it would be great, otherwise I'd suggest to reach out to the folks in #httpd (IRC Freenode) to get some live help.

Luca


2017-07-25 6:45 GMT+02:00 chetan jain <[hidden email]>:
Hi All,

Any more input on this?

--Chetan

On 21 Jul 2017 10:40 p.m., "chetan jain" <[hidden email]> wrote:
Hi Eric,

Thanks for the reply.
We have a different server alias for each of the host, It does get honoured that is how requests go to correct sites.

It's just that something with the SSLProtocol, i read somewhere after googling that SSLProtocol are taken from the first virtual host which is loaded and rest are ignored, trying to seek confirmation if that is correct...and what can be done to achieve the needful

On 21 Jul 2017 5:09 p.m., "Eric Covener" <[hidden email]> wrote:
On Fri, Jul 21, 2017 at 2:37 AM, chetan jain <[hidden email]> wrote:
> Hi All,
>
> We have an Apache WebServer (2.2.15) setup on CentOS 6 where in httpd,conf
> we have included conf.d/*.conf files which has configuration for all the
> virtual hosts.
>
> In conf.d we have respective .conf file for each of the virtual hosts like :
>
> abc_com.conf for abc.com
> xyz_com.conf for xyz.com
>
> etc
>
> now I want to disable the TLSv1.0 and SSLv3 request only for one of this
> virtual hosts, but even if i put the values like :
>
> SSLProtocol           ALL -SSLv3 -SSLv2 -TLSv1 -TLSv1.1  in xyz_com.conf
> file TLSv1.0 and 1.1 are still enabled for xyz.com
>
> to disable it, I have to put the same value in abc_com.conf file as well,
> then only it get disabled for xyz.com as well (even if i remove the paramter
> from xyz_com.conf in that case it is still disabled)
>
> can't we have different SSLProtocol for different virtual hosts?
>
> I can not disable it for all the websites, have to do it for only one of
> them, how can i achieve this?

The file names don't matter very much. What matters is whether they
are separate IP:PORT based vhosts. If they're not, they can't have
separate SSL configurations.


--
Eric Covener
[hidden email]

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]






Loading...