Re: httpd - bypass tls misconfig different ciphers, ecdhe
On Tue, Aug 18, 2020 at 09:28:18PM -0400, trondd wrote: > The bug here is in how additional listen lines interact with the remaining > configuration. The first listen line in a server block gets the tls block > and it doesn't get applied to the second listen line. Except for certs > and keys which are handled differently for SNI. I rechecked, you're right. In TLS block except for key & certificate, sub domain server (or the server defined at last) inherits config from previously defined one (in example config, main server). Is it worthy of a bug or could be confusion on configs?
Re: httpd - bypass tls misconfig different ciphers, ecdhe
On Sun, Aug 16, 2020 at 02:34:27PM -0400, trondd wrote: > Oh, I see what you're doing. BOTH listen lines are active in the second > server block. When you connect to port 443 with that config, which TLS > settings does it use? I want to guess that because you're lisening on > port 8000 without tls first, the listen with tls is skipped along with the > tls block below it. No, listen TLS isn't skipped for sub.domain.tld >> This indeed listen on same address ($ext_ip) and same port (443) >> and works as intended with different cipher and ecdhe.
Re: httpd - bypass tls misconfig different ciphers, ecdhe
Aug 16, 2020, 11:44 AM by tro...@kagu-tsuchi.com: > Because it's not the same IP and port anymore. You can only have one > thing listening on an ip+port I got a working httpd config with same IP and same Port server "domain.tld" { listen on $ext_ip tls port 443 tls { certificate "/etc/ssl/domain.tld.fullchain.pem" key "/etc/ssl/private/domain.tld.key" ciphers "HIGH:!AES128:!kRSA:!aNULL" ecdhe "P-384,P-256,X25519" } } server "sub.domain.tld" { listen on 0.0.0.0 port 8000 # confusion? listen on $ext_ip tls port 443 tls { certificate "/etc/ssl/domain.tld.fullchain.pem" key "/etc/ssl/private/domain.tld.key } } This indeed listen on same address ($ext_ip) and same port (443) and works as intended with different cipher and ecdhe. Note: only when I add listen on 0.0.0.0 port 8000 >Httpd allows you to configure multiple >"servers" for subdomains but in reality there is one actual server >listening and it has to know what parameters to use Sorry, I don't understand your reasoning because shouldn't httpd work the same way with or without extra listen on 0.0.0.0
Re: httpd - bypass tls misconfig different ciphers, ecdhe
Aug 16, 2020, 7:50 AM by tro...@kagu-tsuchi.com: >>On Sat, Aug 15, 2020 at 04:13:51PM -0700, hisacro wrote: > >> $ doas httpd -nv >> server "sub.domain.tld": tls configuration mismatch on same address/port >> >> instead of defining same cipher and ecdhe, uncommenting >> "listen on 0.0.0.0 port 8080" >> bypasses this error >> >> I'm unsure what causes this, can someone shed some light? > >It's what the error says. You're listening twice on the same ip and port >but with different tls blocks. Though I have emphasized enough (even on title), re-stating Why does having a listen statement on port bypasses tls misconfiguration.
httpd - bypass tls misconfig different ciphers, ecdhe
I'm on -current, httpd throws tls misconfig error when different cipher or ecdhe used but it's bypassed by listen statment. server "domain.tld" { listen on * tls port 443 log style combined hsts { subdomains } root "/htdocs/domain.tld/" tls { certificate "/etc/ssl/domain.tld.fullchain.pem" key "/etc/ssl/private/domain.tld.key" ciphers "HIGH:!AES128:!kRSA:!aNULL" ecdhe "P-384,P-256,X25519" } location "/pub/*" { directory auto index } location "/.well-known/mta-sts.txt" { root "/mta-sts" request strip 1 pass } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } server "sub.domain.tld" { # listen on port # note: adding before tls # listen on 0.0.0.0 port 8080 listen on * tls port 443 root "/htdocs/sub.domain.tld" tls { certificate "/etc/ssl/domain.tld.fullchain.pem" key "/etc/ssl/private/domain.tld.key" } hsts { max-age 15768000 preload subdomains } connection max request body 104857600 location "/*" { fastcgi { param SCRIPT_FILENAME "/cgi-bin/scm" param SCRIPT_NAME " " } } location "/.well-known/acme-challenge/*" { root "/acme" request strip 2 } } $ doas httpd -nv server "sub.domain.tld": tls configuration mismatch on same address/port instead of defining same cipher and ecdhe, uncommenting "listen on 0.0.0.0 port 8080" bypasses this error I'm unsure what causes this, can someone shed some light?