D'Arcy J.M. Cain | 18 Apr 01:44 2014
Picon

New install of Apache not accepting client certs

I just upgraded my Apache from 2.4.7 to 2.4.9 and now my clients' cert
give me a "server certificate does NOT include an ID which matches the
server name" error and it serves the system cert instead which fails
because it doesn't match the domain.  Here is an example (sanitized)
entry in my httpd.conf.  Any ideas?  I am reverting to 2.4.7 in the
meantime.

<VirtualHost 256.256.256.256:443>
    ServerName wwws.example.com
    DocumentRoot /u/WEB/user
    ServerAdmin webmaster <at> vex.net
    SuexecUserGroup user user

    Include /VEX/templates/www/httpd-ssl.conf
    SSLCertificateFile /VEX/certs/wwws.example.com.cert
    SSLCertificateKeyFile /etc/certs/wwws.example.com.key
</VirtualHost>
------------------------------------------------------------------------------

/VEX/templates/www/httpd-ssl.conf contains this:

SSLEngine on

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
(Continue reading)

Mark London | 17 Apr 21:12 2014
Picon

HTTPS configuration problem.

Hi - I inherited a web server from another site.   I requested a 
wildcard certificate for that server.   What I failed to realize, was 
that a wildcard certificate only covers *.XXX.COM.  It won't cover plain 
XXX.COM.   And unfortunately, people mainly connect to the site, using 
XXX.COM   Thus, people who connect to the server using HTTPS://XXX.COM, 
get a warning message, saying that the certificate is not valid.

So I've been trying to find a configuration that redirects 
HTTPS://XXX.COM to HTTPS://WWW.XXX.COM.  Unfortunately, every 
configuration that I've tried, doesn't work.  All of the rewrite and 
redirect rules, are applied after the browser checks the certificate 
against the URL.   Thus, the warning web page always appears.

Is there a configuration to do what I want?  Or will I have to request a 
certificate for XXX.COM?  (And then configure my SSL.CONF to have 2 
virtual hosts, one for WWW.XXX.COM, and one for XXX.COM).   Thanks very 
much. - Mark
Christopher Schultz | 17 Apr 18:27 2014
Picon

Enabling ECDHE ciphers

All,

I'm trying to enable (and prefer!) ECDHE ciphers for clients that can
support them. I've done the obvious:

SSLHonorCipherOrder Yes
SSLProtocol ALL -SSLv2
SSLCipherSuite ECDHE:ECDH:..[other stuff]

I have confirmed that, when running "openssl ciphers [stuff above]" that
I get ECDHE ciphers listed at the top of the list. I'm running OpenSSL
1.0.1g-FIPS so that shouldn't be a problem.

Both my browser and Qualys's SSL tester don't seem to be able to use
those ciphers. Is it because I haven't done run "openssl ecparam"? I
haven't seen this shown as a requirement anywhere for enabling ECDHE (or
ECDH) ciphers anywhere online, though it makes sense that I'd have to do
something like that.

Or is it because I have "SSLProtocols ALL -SSLv2", which prefers SSLv3,
then TLSv1, then TLSv1.1, etc. instead of having them in the opposite
order? I tried "SSLProtocols TLSv1.2 TLSv1.1 TLSv1 SSLv3 -SSLv2" but I
get an error saying that "TLSv1.2 is unrecognized".

I'm running httpd 2.2.23 on Amazon Linux. I read in the comments for
mos_ssl that httpd 2.2.24 is required for "TLSv1.2" to be specified
directly. Is that accurate? I can see in my Qualys test that TLS 1.2 can
be used by some of the "simulated clients", so I suspect that it is in
fact available -- perhaps just not preferred?

(Continue reading)

Al Zick | 17 Apr 01:51 2014

problems with malformed handshake message

Hi,

I really hope that someone can help me. I have googled this, but I found nothing.

This is the message that I received from the person reporting the problem:

"However I am still getting mis-formed SSL cert error when I try and access the site via https://
An error occurred during a connection to secure.familysafeinternet.com. SSL received a malformed finished handshake message. (Error code: ssl_error_rx_malformed_finished)"

I know this is not a lot of info, but does anyone have any ideas on what might cause this? 

Thanks,
Al


Marc Aymerich | 16 Apr 23:17 2014
Picon

ProxyPassMatch with Unix sockets

Hi,
I have a PHP-FPM web application that I want it to be accessed under
"/alias/" path. I'm trying to configure ProxyPassMatch with Unix
sockets but it doesn't work because it passes "/alias/" to the web
app, but this path doesn't exist :(

What I have so far is this:

ProxyPassMatch ^/alias/(.*\.php(/.*)?)$ \
unix:/var/run/user-fpm.sock|fcgi://localhost/home/user/webapps/app1/


According to this documentation [1] "the captured request URI ($1) is
not passed after the path". Any idea about how can I pass the correct
path to the fcgi app (without a leading "/alias")?

[1] http://wiki.apache.org/httpd/PHP-FPM

Thanks!
--

-- 
Marc
Doug Strick | 16 Apr 19:23 2014
Picon

Conditional response body modification

Hello,

I'm looking for a way to modify the data on outgoing requests conditionally.  I've tried using mod_substitute, but that appears to be an all or nothing module.  The documentation for mod_filter says it can be invoked on environment variables, but it's not exactly clear on the valid syntax for those variables.  Basically, I'm looking for a way to change all links from HTTP to HTTPS in my outgoing responses for users with a specific cookie.  Any suggestions?  Thanks
Cain Dickens | 16 Apr 18:47 2014
Picon

proxy squid and apache

I have installed apache and squid in my debian server.

but squid does not work, as it shows in the firefox:
access control configuration prevents your request from being allowed at this time.
please .... so and so.

squid/2.7

does anyone know why ?

thanks in advance.
Cain Dickens
Joydeep Bakshi | 16 Apr 14:09 2014
Picon

Fwd: apache hosting unknown sites !!!




Dear list,

I have found a strange issue in a newly configured opensuse 13.1 server. This is a dedicated root server where ssh is running on different port than default and ssh root login is disabled.

I have configured apache and also few vhosts which are running well. I have also installed varnish for caching. All are running without any issue. Suddenly I find from apache access.log that some unknown sites are hosted from this server. 

tv-house.ruworld-hdtv.ru ... etc.... I am clue less. 
I have stopped apache still those sites are active, uninstall varnish, shutdown the server, still those sites are active.

After rebooting the server and activating apache , again the apache log shows; request to those domain actually coming to this server. I blocked the domain through iptables. Now the access log shows a lot of 408

147.45.64.140 - - [16/Apr/2014:11:26:44 +0200] "-" 408 - "-" "-"
176.8.100.50 - - [16/Apr/2014:11:26:59 +0200] "GET /tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4%FD%5D%AD%D5%5B%E9 HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
217.118.78.101 - - [16/Apr/2014:11:27:09 +0200] "-" 408 - "-" "-"
178.67.223.237 - - [16/Apr/2014:11:27:25 +0200] "GET /tracker/scrape?info_hash=%A78V98%CD%27%14%A9%5C%29U%9F%D6%04t%2F%80gX HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"
194.107.23.1 - - [16/Apr/2014:11:27:28 +0200] "-" 408 - "-" "-"
178.89.208.29 - - [16/Apr/2014:11:27:31 +0200] "GET /tracker/scrape?info_hash=%E5%D0%15%7E%1D%C5%29%1B%BB%E8%C1M%B6%1E%ACA0%9D8%81 HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_25"
83.146.115.146 - - [16/Apr/2014:11:27:33 +0200] "GET /tracker/scrape?info_hash=U%5C%01%04%94%C6%83JV%143eL%B4%FD%5D%AD%D5%5B%E9 HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_31"
147.45.64.140 - - [16/Apr/2014:11:27:36 +0200] "-" 408 - "-" "-"
213.87.137.123 - - [16/Apr/2014:11:27:57 +0200] "-" 408 - "-" "-"
178.161.132.98 - - [16/Apr/2014:11:28:20 +0200] "-" 408 - "-" "-"
80.80.205.109 - - [16/Apr/2014:11:28:30 +0200] "GET /tracker/scrape?info_hash=%B6%0Dg%EC%24%0Frw%8A%0D%ADo%D1%86Z%C4J%0A%1D%7C HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_30"
178.123.206.189 - - [16/Apr/2014:11:28:53 +0200] "GET /tracker/scrape?info_hash=%7F%98%05%BA%40%DB%ADo%1E%DD%D1%0BSL%0C%16%9DT%0D%BE HTTP/1.1" 500 1009 "-" "Zona 1.0.4.5;Windows 7;Java 1.6.0_38"

Could any any familiar with this behaviour ? Any fix to this strange issue ?

Thanks



Eric Covener | 15 Apr 22:38 2014
Picon

Re: auth_ldap fails after upgrading to 2.4.9

Can you summarize how the logging differs in the two releases?

Here are two candidates:

  *) mod_ldap: When looking up sub-groups, use an implicit objectClass=*
     instead of an explicit cn=* filter. [David Hawes <dhawes vt.edu>]

  *) mod_ldap: Change "LDAPReferrals off" to actually set the underlying LDAP
     SDK option to OFF, and introduce "LDAPReferrals default" to take the SDK
     default, sans rebind authentication callback.
     [Jan Kaluza <kaluze AT redhat.com>]

Would you be able to rebuild a patch, or ask your vendor to try
selectively removing some of the recent LDAP changes?

On Tue, Apr 15, 2014 at 3:55 PM, Marshall Httpd
<httpd.questions <at> gmail.com> wrote:
> Hi,
>
> Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9.  But, when that
> happened, some of our users can no longer authenticate via LDAP.  By "some",
> I mean that we have 2 domains.  Users from one domain are fine, but users in
> the 2nd domain can no longer authenticate.
>
> E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets
> "authentication failed"
>
> The general error goes something like:
> [authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888]
> AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI
> /svn/databaseProject [User not found][No Such Object]
>
> Has anyone experienced such a thing before?  And/or know of the fix?
>
> Full disclosure:  httpd.exe was upgraded by way of our CollabNet Subversion
> Edge upgrade.  I posed my question there first of course; but this really
> does seem like its a httpd issue.  And thus, here I am.
> I captured a great deal of logging information along with configuration
> settings in their forums.  It's available here:
> https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643
>
>
> Thank you,
> Marshall

--

-- 
Eric Covener
covener <at> gmail.com
Marshall Httpd | 15 Apr 21:55 2014
Picon

auth_ldap fails after upgrading to 2.4.9

Hi,

Our httpd.exe was recently upgraded from 2.4.6 to 2.4.9.  But, when that happened, some of our users can no longer authenticate via LDAP.  By "some", I mean that we have 2 domains.  Users from one domain are fine, but users in the 2nd domain can no longer authenticate.

E.g. AD\steve can authenticate fine; but DOMAIN\dev.frank now gets "authentication failed"

The general error goes something like:
[authnz_ldap:info] [pid 4844:tid 1040] [client 100.200.300.401:55888] AH01695: auth_ldap authenticate: user dev.frank authentication failed; URI /svn/databaseProject [User not found][No Such Object]

Has anyone experienced such a thing before?  And/or know of the fix?

Full disclosure:  httpd.exe was upgraded by way of our CollabNet Subversion Edge upgrade.  I posed my question there first of course; but this really does seem like its a httpd issue.  And thus, here I am.
I captured a great deal of logging information along with configuration settings in their forums.  It's available here:  https://subversion.open.collab.net/ds/viewMessage.do?dsForumId=3&dsMessageId=517643


Thank you,
Marshall
alessandro macuz | 15 Apr 18:09 2014
Picon

Apache sending a client certificate for mutual authentication

Hi folks,

the most recent question on the topic I found is this one

http://httpd.markmail.org/message/n5uuusgzsi2bc72b?q=apache+to+send+ssl+client+certificate

but there who asked the question was invited to use this list and I didn't see this topic discussed.

To give you an idea just imagine the scenario where we want to increase the security of the access to a web-server on a appliance that does mutual authentication but with weaker control.

Can apache2 send a client certificate on a back-end connection?
Do you have any reference? Or is it not possible at all?

Many thanks in advance,

Alex

Gmane