Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Protection options for HTTPS Apache servers' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Protection options for HTTPS Apache servers
Authored by: cp on Dec 07, '04 06:30:02PM
Well, I tried this, without success. I have Complete Apache 2.0.52 installed. SSL is configured within a
 <VirtualHost _default_:443> </VirtualHost> 
block. It seems that you can indeed remove ciphers with:
 SSLCipherSuite -ALL 
on a per server/virtual host basis, as described in the hint and official docs, but Apache seems to stop you from adding ciphers back in per directory within a
 <DIRECTORY> ... </DIRECTORY> 
notwithstanding this hint or official apache documentation. You can, however, further remove ciphers within a
 <DIRECTORY> ... </DIRECTORY> 
All in all, quite confusing.
cp

[ Reply to This | # ]
Ooops.. Use Location instead of Directory
Authored by: MartySells on Dec 14, '04 01:19:27AM
Sorry this didn't work for you. It's a very slick trick so I would like to see others able to get it working.

As I noted, I didn't test the configs that I posted in the original hint and in checking one of my config files where I'm doing something slightly different (overriding SSLVerifyClient and setting it to None for a particular subspace where I don't want to require a client side certificate) I noticed that I'm using a Location rather than Directory directive. When I posted I checked the Apache doc which seemed to say that both were supported so I posted an my hint using Directory.

In testing I found that a Directory section did not work as you found. Using Location instead worked just fine. So the config should read:
# This is all inside a VirtualHost tag

Location /
SSLVerifyClient None
SSLCipherSuite -ALL
SSLRequireSSL
/Location

Location /books/
SSLCipherSuite HIGH
SSLRequireSSL
/Location
So try it in a Location block and please let me/us know if it works. My WAG (wild a$$ guess) is that Apache isn't properly taking the URL from the request and figuring out which Directory block(s) apply and what the SSL settings are. Using a Location block probably makes it easier for Apache to do the right thing.

-m

[ Reply to This | # ]