Re: httpd - bypass tls misconfig different ciphers, ecdhe

[hisacro]

On Tue, Aug 18, 2020 at 09:28:18PM -0400, trondd wrote:
> The bug here is in how additional listen lines interact with the remaining
> configuration.  The first listen line in a server block gets the tls block
> and it doesn't get applied to the second listen line.  Except for certs
> and keys which are handled differently for SNI.

I rechecked, you're right. In TLS block except for key & certificate,
sub domain server (or the server defined at last) inherits config from
previously defined one (in example config, main server).

Is it worthy of a bug or could be confusion on configs?

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[hisacro]

On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote:
 
> Oh, I see what you're doing.  BOTH listen lines are active in the second
> server block.  When you connect to port 443 with that config, which TLS
> settings does it use?  I want to guess that because you're lisening on
> port 8000 without tls first, the listen with tls is skipped along with the
> tls block below it.

No, listen TLS isn't skipped for sub.domain.tld 

>> This indeed listen on same address ($ext_ip) and same port (443)
>> and works as intended with different cipher and ecdhe.

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[hisacro]

Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com:

> Because it's not the same IP and port anymore. You can only have one
> thing listening on an ip+port

I got a working httpd config with same IP and same Port

server "domain.tld" {
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
ciphers "HIGH:!AES128:!kRSA:!aNULL"
ecdhe "P-384,P-256,X25519"
}
}
server "sub.domain.tld" {
listen on 0.0.0.0 port 8000 # confusion?
listen on $ext_ip tls port 443
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key
 }
}

This indeed listen on same address ($ext_ip) and same port (443)
and works as intended with different cipher and ecdhe.
Note: only when I add listen on 0.0.0.0 port 8000

>Httpd allows you to configure multiple
>"servers" for subdomains but in reality there is one actual server
>listening and it has to know what parameters to use
 
Sorry, I don't understand your reasoning because 
shouldn't httpd work the same way with or without extra listen on 0.0.0.0

Re: httpd - bypass tls misconfig different ciphers, ecdhe

[hisacro]

Aug 16, 2020, 7:50 AM by tro...@kagu-tsuchi.com:

>>On Sat, Aug 15, 2020 at 04:13:51PM -0700, hisacro wrote:
> 
>> $ doas httpd -nv
>> server "sub.domain.tld": tls configuration mismatch on same address/port
>> 
>> instead of defining same cipher and ecdhe, uncommenting
>> "listen on 0.0.0.0 port 8080"
>> bypasses this error
>> 
>> I'm unsure what causes this, can someone shed some light?
>
>It's what the error says. You're listening twice on the same ip and port
>but with different tls blocks.

Though I have emphasized enough (even on title), re-stating 

Why does having a listen statement on  port 
bypasses tls misconfiguration.

httpd - bypass tls misconfig different ciphers, ecdhe

[hisacro]

I'm on -current, httpd throws tls misconfig error when different
cipher or ecdhe used but it's bypassed by listen statment.

server "domain.tld" {
listen on * tls port 443
log style combined
hsts 
{
subdomains
}
root "/htdocs/domain.tld/"   
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
ciphers "HIGH:!AES128:!kRSA:!aNULL"
ecdhe "P-384,P-256,X25519"
}
location "/pub/*" {
directory auto index
}
location "/.well-known/mta-sts.txt" {
root "/mta-sts"
request strip 1
pass
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}

server "sub.domain.tld" { 
# listen on  port 
# note: adding before tls 
# listen on 0.0.0.0 port 8080
listen on * tls port 443
root "/htdocs/sub.domain.tld"
tls {
certificate "/etc/ssl/domain.tld.fullchain.pem"
key "/etc/ssl/private/domain.tld.key"
}
hsts {
max-age 15768000
preload
subdomains
}
connection max request body 104857600
location  "/*" {
fastcgi { 
param SCRIPT_FILENAME "/cgi-bin/scm"
param SCRIPT_NAME " "
}
}
location "/.well-known/acme-challenge/*" {
root "/acme"
request strip 2
}
}


$ doas httpd -nv
server "sub.domain.tld": tls configuration mismatch on same address/port

instead of defining same cipher and ecdhe, uncommenting
"listen on 0.0.0.0 port 8080"
bypasses this error

I'm unsure what causes this, can someone shed some light?