perfSONAR User Q&A and Other Discussion

[Michael Johnson <>]

Hi Doug,

Ah, I was hoping you could create a virtualhost in your override config file, 
like this:
<VirtualHost _default_:443>

And then change the ciphers within that virtualhost. I don't know offhand if 
having that VirtualHost defined multiple times will work.

Changing the way security policy is applied is something that the dev team 
needs to discuss first, but reviewing how this works seems like a reasonable 
request. The current solution is very simple, as it just replaces the default 
ciphers with new ones, rather than inserting other config parameters in 
arbitrary locations in the config file, especially when we don't know if that 
file has been modified.

I also anticipate that if we do decide to change this, we might need to test 
a few different possible approaches to see what works best. Placing the 
parameters outside the virtualhost might work, but we'd need to test it; let 
us know if you find a solution that seems good in your testing.

I've opened an issue in our tracker for this:
https://github.com/perfsonar/toolkit/issues/291

Much of the dev team is out for the next couple weeks, so I wouldn't expect 
much immediate activity regarding this.

Thanks,
Michael

On Thu, Dec 21, 2017 at 06:09:54PM +0000, Doug Wussler wrote:
> Michael –
>
> So that seems like a fine motivation, since our settings are even more 
> restrictive than the ones you implement, but you put them inside the 
> VirtualHost.  From what I can see in my testing, I cannot override those 
> setting in another config file.  If you could move them outside the virtual 
> host then I could do as you suggest.  Is this something you could do?  I 
> think that would accomplish your goal while allowing others to customize 
> those settings.
>
> Doug
>
>
>
> On 12/21/17, 12:15 PM, "Michael Johnson" 
> <>
>  wrote:
>
>    Hi Doug,
>
>    The SSL Protocol/CipherSuite values are modified by our packages because 
> if we don't update these, older/weaker ciphers are allowed, which is a 
> security issue; in fact, various web application scanners people are using 
> complain about this. This is why we have made the change.
>
>    I haven't tried this, but I believe you could set the values you want in a 
> separate config file, and they wouldn't get overwritten. You would want to 
> create a new file, something like this:
>
>    /etc/httpd/conf.d/zciphers.conf
>
>    You would then put the desired ciphers in this file and it would override 
> the settings in ssl.conf. The files in conf.d/*.conf are read in aphabetical 
> order, so by changing the filename you can control the order they load (hence 
> the 'z' above). The later includes override earlier ones.
>
>    Thanks,
>    Michael
>
>    On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
>    >Is there some reason why you are modifying the values of “SSLProtocol” 
> and “SSLCipherSuite” in the SSL.CONF file when updates are applied?
>    >
>    >I have more restrictive settings for these parameters.  Whenever an 
> update runs it updates these values and we end up with a corrupt value for 
> SSLCipherSuite and then the service can’t restart.
>    >
>    >Does this config file need to be included in your update procedures? If 
> not, can you please remove it so that it doesn’t overwrite custom settings?
>    >
>    >Doug
>    >
>    >
>    >Doug Wussler
>    >850.645.4201
>    >Information Technology Services
>    >Florida State University
>    >RK Shaw Building
>    >644 W. Call Street
>    >Tallahassee, FL  32304
>    >
>
>    --
>    Michael Johnson
>    GlobalNOC Software Engineering
>    Indiana University
>    
>
>    812-856-2771

--
Michael Johnson
GlobalNOC Software Engineering
Indiana University

812-856-2771

Attachment: smime.p7s
Description: S/MIME cryptographic signature