perfsonar-user - Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
Subject: perfSONAR User Q&A and Other Discussion
List archive
- From: Michael Johnson <>
- To: Doug Wussler <>
- Cc: "" <>
- Subject: Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
- Date: Thu, 21 Dec 2017 14:04:54 -0500
- Ironport-phdr: 9a23:FC2TThPq8oPv14hLY6Ql6mtUPXoX/o7sNwtQ0KIMzox0Iv/7rarrMEGX3/hxlliBBdydt6odzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZLebxlViDanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZUMhfVzJPDJ6/YYsBAOUOIftXoIvmqlsBsRezHxOhCP/zxjJKgHL9wK000/4mEQHDxAEuGNMOv2jUrNrvKqgSVf2+wq3PzTXDafNWwjD96I7VeR0mpPGMX7F9fdTKxEkgEwPFiU6fppbhPzOT0eQCr3KX7+t9Ve61lWEothxxryGpy8wxhIfJgYcVxUrF9SV/2Is1Kty4SFJ7Yd65C5RcrT2VN4xzQs4kXmpmuz46x6UbtZO0eCUG0okryh/fZvCdboSF7B3uWPyTLDp4gn9uZaixiAyo8Ue6z+3xTsm030hOripCitTMs2oC1x3X6sSdVvR94luu1SyA1wDJ7OFEJlw7mbDaK5482LI/iIccsVnbEi/3nkX5krOWe1059uWn7+nreKjqq56cOoNulw3zPKsjlta9DOk4KgQOWnKU+eW41L3t5035R7BKg+Uzkqnbs53WO98WpqG9Aw9SyYks8RK/DzGh0NsEh3UHLU9FdAiZgIf0JlHCOOr4Auung1SwjDdrwOjLPqX/DZXXIHjDi7DhfbBn5E5G0QYz0Mtf6IxOCrwaJPLzW1TxtMDDDhMnKQC0wuDnCMlj2YMEX2KAHLOZPL3IvVCW++0vPrrEWIhAlDHgJLAa+uX1iXIj0QsRerSmm4QKc2u8E+5OLV6EJ3fgn4FSP30Nu18bTefqgVCGGRxUZ3CpWKR0sjQ5WNiOAoPETImphruKmiamWJBaezYVWRi3DX70etDcCL83YyWIL5oky2RcWA==
Hi Doug,
Ah, I was hoping you could create a virtualhost in your override config file,
like this:
<VirtualHost _default_:443>
And then change the ciphers within that virtualhost. I don't know offhand if
having that VirtualHost defined multiple times will work.
Changing the way security policy is applied is something that the dev team
needs to discuss first, but reviewing how this works seems like a reasonable
request. The current solution is very simple, as it just replaces the default
ciphers with new ones, rather than inserting other config parameters in
arbitrary locations in the config file, especially when we don't know if that
file has been modified.
I also anticipate that if we do decide to change this, we might need to test
a few different possible approaches to see what works best. Placing the
parameters outside the virtualhost might work, but we'd need to test it; let
us know if you find a solution that seems good in your testing.
I've opened an issue in our tracker for this:
https://github.com/perfsonar/toolkit/issues/291
Much of the dev team is out for the next couple weeks, so I wouldn't expect
much immediate activity regarding this.
Thanks,
Michael
On Thu, Dec 21, 2017 at 06:09:54PM +0000, Doug Wussler wrote:
Michael –
So that seems like a fine motivation, since our settings are even more
restrictive than the ones you implement, but you put them inside the
VirtualHost. From what I can see in my testing, I cannot override those
setting in another config file. If you could move them outside the virtual
host then I could do as you suggest. Is this something you could do? I
think that would accomplish your goal while allowing others to customize
those settings.
Doug
On 12/21/17, 12:15 PM, "Michael Johnson"
<>
wrote:
Hi Doug,
The SSL Protocol/CipherSuite values are modified by our packages because
if we don't update these, older/weaker ciphers are allowed, which is a
security issue; in fact, various web application scanners people are using
complain about this. This is why we have made the change.
I haven't tried this, but I believe you could set the values you want in a
separate config file, and they wouldn't get overwritten. You would want to
create a new file, something like this:
/etc/httpd/conf.d/zciphers.conf
You would then put the desired ciphers in this file and it would override
the settings in ssl.conf. The files in conf.d/*.conf are read in aphabetical
order, so by changing the filename you can control the order they load (hence
the 'z' above). The later includes override earlier ones.
Thanks,
Michael
On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
>Is there some reason why you are modifying the values of “SSLProtocol”
and “SSLCipherSuite” in the SSL.CONF file when updates are applied?
>
>I have more restrictive settings for these parameters. Whenever an
update runs it updates these values and we end up with a corrupt value for
SSLCipherSuite and then the service can’t restart.
>
>Does this config file need to be included in your update procedures? If
not, can you please remove it so that it doesn’t overwrite custom settings?
>
>Doug
>
>
>Doug Wussler
>850.645.4201
>Information Technology Services
>Florida State University
>RK Shaw Building
>644 W. Call Street
>Tallahassee, FL 32304
>
--
Michael Johnson
GlobalNOC Software Engineering
Indiana University
812-856-2771
--
Michael Johnson
GlobalNOC Software Engineering
Indiana University
812-856-2771
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Doug Wussler, 12/21/2017
- Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf, Michael Johnson, 12/21/2017
Archive powered by MHonArc 2.6.19.