Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Apache SSL SSLCipherSuite management with multiple vhosts
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Philippe23
Tux's lil' helper
Tux's lil' helper


Joined: 20 Dec 2006
Posts: 115
Location: Rome, NY

PostPosted: Sun Apr 05, 2015 1:24 pm    Post subject: Apache SSL SSLCipherSuite management with multiple vhosts Reply with quote

It just came to my attention that the settings in 00_default_ssl_vhost.conf are not being used by my other SSL-enabled vhosts. (Which means I've been allowing a bunch of really crummy insecure settings.)

Currently to fix it, it seems like I have to copy-and-paste SSLProtocol, SSLCipherSuite, & SSLHonorCipherOrder's settings out of 00_default_ssl_vhost.conf and paste them in each of my additional vhost files that have SSL enabled.

This seems like a poor setup. For maintainability and especially since I won't gain the benefit of Gentoo devs updating settings in 00_default_ssl_vhost.conf until I notice & copy-and-paste the improved values.

Does anybody have a suggestion for how to do this better?

Example of a vhost with SSL's SSL settings (with the copy-and-pasted settings):

Code:

<IfDefine SSL>
 <IfModule ssl_module>
   <VirtualHost *:443>
        ServerName secure.***.com

        SSLEngine on

        # :TODO: Figure out how to have this in one place for all vhosts.
        # (These are copied from 00_default_ssl_vhost.conf)
        SSLProtocol ALL -SSLv2 -SSLv3
        SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
        SSLHonorCipherOrder On

        SSLCertificateFile /etc/ssl/apache2/secure.***.com.crt
        SSLCertificateKeyFile /etc/ssl/apache2/secure.***.com.key
        SSLCertificateChainFile /etc/ssl/certs/***server.ca.pem
        SSLCACertificateFile /etc/ssl/certs/***.ca.pem

        SSLOptions +StrictRequire

        DocumentRoot "/var/www/***.com/secure/"

        ErrorLog /var/log/apache2/***-error
        CustomLog /var/log/apache2/***-access combined
   </VirtualHost>
 </IfModule>
</IfDefine>

<VirtualHost *:80>

         ...

</VirtualHost>
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum