Skip to Content.
Sympa Menu

perfsonar-user - Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf

Subject: perfSONAR User Q&A and Other Discussion

List archive

Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf


Chronological Thread 
  • From: Doug Wussler <>
  • To: Michael Johnson <>
  • Cc: "" <>
  • Subject: Re: [perfsonar-user] /etc/httpd/conf.d/ssl.conf
  • Date: Thu, 21 Dec 2017 19:14:26 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:bxhJxx0kOREoqprJsmDT+DRfVm0co7zxezQtwd8ZseMVIvad9pjvdHbS+e9qxAeQG9mDsrQc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPfglEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7Vq4/Vyi84Kh3SR/okCYHOCA/8GHLkcx7kaZXrAu8qxBj34LYZYeYP+d8cKzAZ9MXXWpPUNhMWSxdDI2ybIUPAOgAPelEoIfyqEADrQelCgmpGO/j1iNEi33w0KYn0+ohCwbG3Ak4EtwAt3TUsdr1P7oSXuCo16nI1jHDYO1M2Tzg74XHbxchoeyDXb5qf8vR1FIvFxjBjlqOs4zoJD2V1v8Qs2SB8eVvSP+vhnchpgpsrDavwcIshZPIhoIT0l3E+iR5wJo1Jd2lU0F3e8KrEJxVtyycKoB4QdsiTnl2tCkg1rEKpJu2cDUXxJg6whPfZfOKf5SU7h/mWuaePzh1iGxgdb+6hhu+7EutxvXhWsWq01tGtDdJn9rNu3wX2RHe5NKLRuVh8ku93zuEyhrd5fteIU8ukKrWM54hzaA0lpoUqUnNBjP7lkLqgKOLb0kp5+qn5/r+brXhvZCTKZV4igbjMqQygcO/Bvk4Mg4TUGSB4eS8zrrj/VHnT7pWkv02k67ZsJbAKcQcu665HwtV0oEk6xa8FTupzNMYnXwfIFJEfhKIkZTpNknQLP/iEfuznlGhnCp2y/zbO7DhDJrAImTfnLrkc7Zy9UFRxBQ2wN1a5p9YF7IMLOr2WkDrtdzYChE5Mxazw+biENhyy4QeWX+AAqODPqLSrESI5vkrI+aSfo8Yozj9K+M45/L0k3A2hEIdcbGz3ZQLcHC4AuhmI0KBbHr0nNgBC2kKvhE5TOzsklKCSydfZ2upX60i/DE2E4amDYbYRoCxm7yNwj23HpxQZmBaFF+MC3HoeJuYW/sSci6dPNJukiFXHYSmHqog3hGnuQuy6b1nKPHT/GVMsJCzjvB64+rZnBU08jcyDtnb3m2QGTJahGQNEhMxwa83nlFm0VOOy+Asj/tFGppM+uhSVgogHZDH0qp3B82kCVGJRcuAVFvzGobuOjo2VN9khoZWO0s=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99
Michael –

Thank you. My understanding is that if it is set outside the Virtual Host it
will be inherited by all virtual hosts but can be overridden by settings
inside the virtual host. But once set inside a virtual host it is immune to
being overridden in another file. Thanks for opening an issue. Certainly
understand that people are out for the holidays and that this is a lower
priority item anyway.

Doug


On 12/21/17, 2:04 PM, "Michael Johnson"
<>
wrote:

Hi Doug,

Ah, I was hoping you could create a virtualhost in your override config
file, like this:
<VirtualHost _default_:443>

And then change the ciphers within that virtualhost. I don't know offhand
if having that VirtualHost defined multiple times will work.

Changing the way security policy is applied is something that the dev
team needs to discuss first, but reviewing how this works seems like a
reasonable request. The current solution is very simple, as it just replaces
the default ciphers with new ones, rather than inserting other config
parameters in arbitrary locations in the config file, especially when we
don't know if that file has been modified.

I also anticipate that if we do decide to change this, we might need to
test a few different possible approaches to see what works best. Placing the
parameters outside the virtualhost might work, but we'd need to test it; let
us know if you find a solution that seems good in your testing.

I've opened an issue in our tracker for this:
https://github.com/perfsonar/toolkit/issues/291

Much of the dev team is out for the next couple weeks, so I wouldn't
expect much immediate activity regarding this.

Thanks,
Michael

On Thu, Dec 21, 2017 at 06:09:54PM +0000, Doug Wussler wrote:
>Michael –
>
>So that seems like a fine motivation, since our settings are even more
restrictive than the ones you implement, but you put them inside the
VirtualHost. From what I can see in my testing, I cannot override those
setting in another config file. If you could move them outside the virtual
host then I could do as you suggest. Is this something you could do? I
think that would accomplish your goal while allowing others to customize
those settings.
>
>Doug
>
>
>
>On 12/21/17, 12:15 PM, "Michael Johnson"
<>
wrote:
>
> Hi Doug,
>
> The SSL Protocol/CipherSuite values are modified by our packages
because if we don't update these, older/weaker ciphers are allowed, which is
a security issue; in fact, various web application scanners people are using
complain about this. This is why we have made the change.
>
> I haven't tried this, but I believe you could set the values you
want in a separate config file, and they wouldn't get overwritten. You would
want to create a new file, something like this:
>
> /etc/httpd/conf.d/zciphers.conf
>
> You would then put the desired ciphers in this file and it would
override the settings in ssl.conf. The files in conf.d/*.conf are read in
aphabetical order, so by changing the filename you can control the order they
load (hence the 'z' above). The later includes override earlier ones.
>
> Thanks,
> Michael
>
> On Thu, Dec 21, 2017 at 04:59:51PM +0000, Doug Wussler wrote:
> >Is there some reason why you are modifying the values of
“SSLProtocol” and “SSLCipherSuite” in the SSL.CONF file when updates are
applied?
> >
> >I have more restrictive settings for these parameters. Whenever an
update runs it updates these values and we end up with a corrupt value for
SSLCipherSuite and then the service can’t restart.
> >
> >Does this config file need to be included in your update
procedures? If not, can you please remove it so that it doesn’t overwrite
custom settings?
> >
> >Doug
> >
> >
> >Doug Wussler
> >850.645.4201
> >Information Technology Services
> >Florida State University
> >RK Shaw Building
> >644 W. Call Street
> >Tallahassee, FL 32304
> >
>
> --
> Michael Johnson
> GlobalNOC Software Engineering
> Indiana University
>

> 812-856-2771
>
>
>

--
Michael Johnson
GlobalNOC Software Engineering
Indiana University


812-856-2771




Archive powered by MHonArc 2.6.19.

Top of Page