Re: [users@httpd] SSL Certificate Validation

2018-02-09 Thread Eric Covener 
On Thu, Feb 8, 2018 at 12:51 PM, Houser, Rick  wrote:
> I didn’t think you could have two virtualhost entries with the same IP/port.

That's just name-based virtualhosts. The first one is the default.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL Certificate Validation

2018-02-09 Thread Dr James A Smith 
The whole point of virtual hosts is you can have multiple of them - that 
is the whole way Apache configuration works to have multiple sites being 
served from the same server... currently I have servers with 20+ 
virtualhost configurations.


Having a single virtual host is OK - but if you have more than one 
virtualhost (or you have multiple domains for a single virtualhost - we 
do on sandbox/dev/staging/live sites) you would need to write a long set 
of rewritecond entries..


The configuration I set up is the simplest extensible one...



On 08/02/2018 17:51, Houser, Rick wrote:


I didn’t think you could have two virtualhost entries with the same 
IP/port.  I would probably do this within with a single VirtualHost, 
myself.  Something like this combined with the RewriteRule:


RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$

Rick Houser

Web Engineer

*From:*Dr James A Smith [mailto:j...@sanger.ac.uk]
*Sent:* Thursday, February 08, 2018 12:18
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] SSL Certificate Validation

*EXTERNAL EMAIL*

The easiest way to do this is to make sure you have the correct 
hostname in the virtual host - the one that matches your certificate 
and another virtual host which has no hostname in it to catch all the 
other requests.



   return a forbidden response for all requests!
  RewriteEngine On
  RewriteRule ^(.*)$ - [L,F]



  ServerName your.real.host.com
  ... real config...


On 08/02/2018 16:46, Houser, Rick wrote:

In addition to fixing your certificate, you may have a reason to
make sure the host header they send is correct.  If they are
reaching you via an alternate hostname or something that’s getting
them to the correct IP, but shouldn’t be supported for your
service, stopping them from doing that might take aware the
incentive they see to disabling the hostname verification in the
first place.

Rick Houser

Web Engineer

*From:* Eric Covener [mailto:cove...@gmail.com]
*Sent:* Thursday, February 08, 2018 11:19
*To:* users@httpd.apache.org <mailto:users@httpd.apache.org>
*Subject:* Re: [users@httpd] SSL Certificate Validation

*EXTERNAL EMAIL*


On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar
<nbelm...@cscgroup.com <mailto:nbelm...@cscgroup.com>> wrote:

Thanks Rainer and Daniel.

Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t,
the Apache service launches fine and the users/developers are
able to connect however developers through their code bypass
the Server SSL certificate verification. I am not worried
about the client certificate validation since we are not using
it,  all the concern is we need to stop users bypassing the
Server SSL verification who are claiming they have to bypass
it since the certificate name doesn’t match the server name in
the link being called. Kindly note that configuration in
hhtpd.conf is:

​You can't stop them unless you control the client.  You only
control the server. The only thing you could do is provide a
better certificate.

​



-- The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.







--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Houser, Rick 
I didn’t think you could have two virtualhost entries with the same IP/port.  I 
would probably do this within with a single VirtualHost, myself.  Something 
like this combined with the RewriteRule:

RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$


Rick Houser
Web Engineer

From: Dr James A Smith [mailto:j...@sanger.ac.uk]
Sent: Thursday, February 08, 2018 12:18
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL


The easiest way to do this is to make sure you have the correct hostname in the 
virtual host - the one that matches your certificate and another virtual host 
which has no hostname in it to catch all the other requests.


   return a forbidden response for all requests!
  RewriteEngine On
  RewriteRule ^(.*)$ - [L,F]



  ServerName your.real.host.com
  ... real config...




On 08/02/2018 16:46, Houser, Rick wrote:
In addition to fixing your certificate, you may have a reason to make sure the 
host header they send is correct.  If they are reaching you via an alternate 
hostname or something that’s getting them to the correct IP, but shouldn’t be 
supported for your service, stopping them from doing that might take aware the 
incentive they see to disabling the hostname verification in the first place.


Rick Houser
Web Engineer

From: Eric Covener [mailto:cove...@gmail.com]
Sent: Thursday, February 08, 2018 11:19
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL




On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar 
<nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com>> wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service 
launches fine and the users/developers are able to connect however developers 
through their code bypass the Server SSL certificate verification. I am not 
worried about the client certificate validation since we are not using it,  all 
the concern is we need to stop users bypassing the Server SSL verification who 
are claiming they have to bypass it since the certificate name doesn’t match 
the server name in the link being called. Kindly note that configuration in 
hhtpd.conf is:



​You can't stop them unless you control the client.  You only control the 
server. The only thing you could do is provide a better certificate.
​



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a 
charity registered in England with number 1021457 and a company registered in 
England with number 2742969, whose registered office is 215 Euston Road, 
London, NW1 2BE.

Re: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Dr James A Smith 
The easiest way to do this is to make sure you have the correct hostname 
in the virtual host - the one that matches your certificate and another 
virtual host which has no hostname in it to catch all the other requests.



   return a forbidden response for all requests!
  RewriteEngine On
RewriteRule ^(.*)$ - [L,F]



  ServerName your.real.host.com
  ... real config...




On 08/02/2018 16:46, Houser, Rick wrote:


In addition to fixing your certificate, you may have a reason to make 
sure the host header they send is correct.  If they are reaching you 
via an alternate hostname or something that’s getting them to the 
correct IP, but shouldn’t be supported for your service, stopping them 
from doing that might take aware the incentive they see to disabling 
the hostname verification in the first place.


Rick Houser

Web Engineer

*From:* Eric Covener [mailto:cove...@gmail.com]
*Sent:* Thursday, February 08, 2018 11:19
*To:* users@httpd.apache.org
*Subject:* Re: [users@httpd] SSL Certificate Validation

*EXTERNAL EMAIL*

On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar <nbelm...@cscgroup.com 
<mailto:nbelm...@cscgroup.com>> wrote:


Thanks Rainer and Daniel.

Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the
Apache service launches fine and the users/developers are able to
connect however developers through their code bypass the Server
SSL certificate verification. I am not worried about the client
certificate validation since we are not using it,  all the concern
is we need to stop users bypassing the Server SSL verification who
are claiming they have to bypass it since the certificate name
doesn’t match the server name in the link being called. Kindly
note that configuration in hhtpd.conf is:

​You can't stop them unless you control the client. You only control 
the server. The only thing you could do is provide a better certificate.


​






--
The Wellcome Sanger Institute is operated by Genome Research 
Limited, a charity registered in England with number 1021457 and a 
company registered in England with number 2742969, whose registered 
office is 215 Euston Road, London, NW1 2BE.

RE: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Houser, Rick 
In addition to fixing your certificate, you may have a reason to make sure the 
host header they send is correct.  If they are reaching you via an alternate 
hostname or something that’s getting them to the correct IP, but shouldn’t be 
supported for your service, stopping them from doing that might take aware the 
incentive they see to disabling the hostname verification in the first place.


Rick Houser
Web Engineer

From: Eric Covener [mailto:cove...@gmail.com]
Sent: Thursday, February 08, 2018 11:19
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL



On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar 
<nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com>> wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service 
launches fine and the users/developers are able to connect however developers 
through their code bypass the Server SSL certificate verification. I am not 
worried about the client certificate validation since we are not using it,  all 
the concern is we need to stop users bypassing the Server SSL verification who 
are claiming they have to bypass it since the certificate name doesn’t match 
the server name in the link being called. Kindly note that configuration in 
hhtpd.conf is:



​You can't stop them unless you control the client.  You only control the 
server. The only thing you could do is provide a better certificate.
​

Re: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Eric Covener 
On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar 
wrote:

> Thanks Rainer and Daniel.
>
> Sorry for the confusion and please let me clarify.
>
>
>
> We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache
> service launches fine and the users/developers are able to connect however
> developers through their code bypass the Server SSL certificate
> verification. I am not worried about the client certificate validation
> since we are not using it,  all the concern is we need to stop users
> bypassing the Server SSL verification who are claiming they have to bypass
> it since the certificate name doesn’t match the server name in the link
> being called. Kindly note that configuration in hhtpd.conf is:
>



​You can't stop them unless you control the client.  You only control the
server. The only thing you could do is provide a better certificate.
​

RE: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Belmona, Nizar 
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service 
launches fine and the users/developers are able to connect however developers 
through their code bypass the Server SSL certificate verification. I am not 
worried about the client certificate validation since we are not using it,  all 
the concern is we need to stop users bypassing the Server SSL verification who 
are claiming they have to bypass it since the certificate name doesn’t match 
the server name in the link being called. Kindly note that configuration in 
hhtpd.conf is:


DocumentRoot "C:/Program Files (x86)/Apache Software 
Foundation/Apache2.2/htdocs"
ServerName xxx.xxx.com
SSLEngine On
SSLCertificateFile "C:\Program Files (x86)\Apache Software 
Foundation\Apache2.2\conf\A.crt"
SSLCertificateKeyFile "C:\Program Files (x86)\Apache Software 
Foundation\Apache2.2\conf\B.pem"
SSLCertificateChainFile "C:\Program Files (x86)\Apache Software 
Foundation\Apache2.2\conf\C.crt"


Regards,


From: Daniel [mailto:dferra...@gmail.com]
Sent: Thursday, February 8, 2018 12:38 PM
To: <users@httpd.apache.org> <users@httpd.apache.org>
Subject: Re: [users@httpd] SSL Certificate Validation

Hello Nizar,

You need to provide much more info on your current setup so we can provide any 
meaningful advice. Which SSL verification? What configuration?

Regarding httpd what's needed in config, the basic thing to have 
"SSLVerifyClient require" and a list of accepted CA's but that could be 
overriden in config, that's why you need to show your actual setup or more 
relevant info.
As an added note, if you have real concerns regarding security one of the best 
things to do is probably to consider upgrading your openssl version which seems 
ancient.

2018-02-08 7:16 GMT+01:00 Belmona, Nizar 
<nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com>>:
Dear users,
We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and we 
have a security concern since developers are able to bypass the SSL certificate 
verification when using HTTPS calls. Kindly advise what configuration is needed 
to enforce the certificate verification? In other words should anyone tries to 
bypass this verification, the call fails returning some kind of error code.
Please note that our environment is a simple one; it consists of one web server 
with no proxies.

Your help is greatly appreciated.

Regards,

Nizar Belmona



Deputy Section Head






Card Management System Department | CSCBank SAL

[cid:image001.jpg@01D3A0E6.AAB50A70]

t +961 1 742555<tel:+961%201%20742%20555> | ext. 1647 | f +961 1 
352281<tel:+961%201%20352%20281>

e nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com> | w 
www.cscgroup.com<http://www.cscgroup.com>

150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon


[cid:image002.jpg@01D3A0E6.AAB50A70]


[cid:image003.jpg@01D3A0E6.AAB50A70] Save a tree. Please consider the 
environment before printing this email.





--
Daniel Ferradal
IT Specialist

email dferradal at gmail.com<http://gmail.com>
linkedin 
es.linkedin.com/in/danielferradal<http://es.linkedin.com/in/danielferradal>


Nizar Belmona
Deputy Section Head

Card Management System Department | CSCBank SAL 
[cid:image9d3542.JPG@1f7b3054.42986040]
t +961 1 742555 | ext. 1647 | f +961 1 352281
e nbelm...@cscgroup.com | w www.cscgroup.com
150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon

[cid:imagee0a400.JPG@aa7f5c22.4bb91fb7]

[cid:imaged2f457.JPG@1c44af97.4481dc3c] Save a tree. Please consider the 
environment before printing this email.

Re: [users@httpd] SSL Certificate Validation

2018-02-08 Thread Daniel 
Hello Nizar,

You need to provide much more info on your current setup so we can provide
any meaningful advice. Which SSL verification? What configuration?

Regarding httpd what's needed in config, the basic thing to have
"SSLVerifyClient require" and a list of accepted CA's but that could be
overriden in config, that's why you need to show your actual setup or more
relevant info.
As an added note, if you have real concerns regarding security one of the
best things to do is probably to consider upgrading your openssl version
which seems ancient.

2018-02-08 7:16 GMT+01:00 Belmona, Nizar :

> Dear users,
>
> We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and
> we have a security concern since developers are able to bypass the SSL
> certificate verification when using HTTPS calls. Kindly advise what
> configuration is needed to enforce the certificate verification? In other
> words should anyone tries to bypass this verification, the call fails
> returning some kind of error code.
>
> Please note that our environment is a simple one; it consists of one web
> server with no proxies.
>
>
>
> Your help is greatly appreciated.
>
>
>
> Regards,
>
>
> Nizar Belmona
> Deputy Section Head
> Card Management System Department *|* CSCBank SAL
> *t* +961 1 742555 <+961%201%20742%20555> | *ext.* 1647 |* f* +961 1 352281
> <+961%201%20352%20281>
> *e* nbelm...@cscgroup.com | *w* www.cscgroup.com
> 150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon
>  Save a tree. Please consider the environment before printing this email.
>
>


-- 
*Daniel Ferradal*
IT Specialist

email dferradal at gmail.com
linkedin es.linkedin.com/in/danielferradal

[users@httpd] SSL Certificate Validation

2018-02-07 Thread Belmona, Nizar 
Dear users,
We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and we 
have a security concern since developers are able to bypass the SSL certificate 
verification when using HTTPS calls. Kindly advise what configuration is needed 
to enforce the certificate verification? In other words should anyone tries to 
bypass this verification, the call fails returning some kind of error code.
Please note that our environment is a simple one; it consists of one web server 
with no proxies.

Your help is greatly appreciated.

Regards,


Nizar Belmona
Deputy Section Head

Card Management System Department | CSCBank SAL 
[cid:imaged5b512.JPG@243f48e4.45b02783]
t +961 1 742555 | ext. 1647 | f +961 1 352281
e nbelm...@cscgroup.com | w www.cscgroup.com
150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon

[cid:image358861.JPG@be4d6a98.4e95e270]

[cid:image48f45c.JPG@5ba7acc8.489e0939] Save a tree. Please consider the 
environment before printing this email.