https://bz.apache.org/bugzilla/show_bug.cgi?id=69397
Bug ID: 69397
Summary: Effect of SSLOpenSSLConfCmd in catch-all VirtualHost
affects other VirtualHosts
Product: Apache httpd-2
Version: 2.4.37
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
Wanting to apply specific Groups, or Protocol to the catch-all <VirtualHost>
using SSLOpenSSLConfCmd affects all other https connections on the web server.
For example, if I deliberately wanted to make sure that TLS negotiation fails
for the catch-all _default_:443 VirtualHost (or *:443) and yet works for those
VirtualHosts that match a ServerName, I could try:
# The first declaration that acts as a catch-all when no
# other VirtualHost matches
<VirtualHost _default_:443>
ServerName default.invalid
Include /path/to/ssl/settings.conf.inc
# Make sure there is a protocol in the list so the server starts up
SSLProtocol +all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +TLSv1.3
# Use the conf cmd to remove them all
SSLOpenSSLConfCmd Protocol "-ALL"
# and so on ...
</VirtualHost>
# A virtual host that can match on SNI
<VirtualHost *:443>
ServerName my.virtual.host:443
# and so on...
</VirtualHost>
The server starts up.
Now all requests to my.virtual.host are affected as well as requests to
non-matched virtual hosts going to the catch-all.
Accessing any site now reports:
Firefox reports: Secure Connection Failed Peer reports it experienced an
internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
Safari reports: can't establish a secure connection
Chrome reports: This site can’t provide a secure connection
my.virtual.host sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
If the conf cmd
SSLOpenSSLConfCmd Protocol "-ALL"
is not put in the _default_:443 VirtualHost but rather is it put into the *:443
with the ServerName, the effect is as expected: only that VirtualHost is
affected.
This time, accessing my.virtual.host gives different results:
Firefox: Peer reports incompatible or unsupported protocol version.
Error code: SSL_ERROR_PROTOCOL_VERSION_ALERT
Chrome: This site can’t provide a secure connection
my.virtual.host uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
That result is what I hoped would happen but for the version that uses
SSLOpenSSLConfCmd in the catch-all virtualhost .
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
