Josh.Wyatt at hcssystems
Sep 18, 2006, 9:10 AM
Post #5 of 5
(606 views)
Permalink
|
|
Re: Reverse SSL proxy with NULL cipher on backend?
[In reply to]
|
|
Spil Oss wrote:
> Hi Josh,
>
> When you say "https is hard-coded as the beginning of all URLs" you
> mean that that is done in all pages that the webserver generates? In
> that case you might just address oapache using http, and in apache2's
> config ProxyPass / http://localhost/.
>
> Kind Regards,
>
> Spil
Hi Spil,
Thank you for your response.
Actually, the logic goes something like this:
1. End-human requests a report from the application server.
2. The request is handed off to a report server;
3. the report server generates the report himself via a special URL on the webserver;
4. The report retrieval URL is then mangled for security reasons, and sent back to the end-human
5. a new browser window pops up for the end-human, and retrieves the report via mangled URL.
Now, step 3 uses a "hidden" internal URL which gets mangled later on in step 4. This mangling action doesn't happen unless SSL is enabled on on oapache.
Sounds complicated, and I'm sure R. Goldberg had a hand in this. But stage 3 requires SSL.
Thanks,
Josh
> On 18/09/06, Josh Wyatt <Josh.Wyatt [at] hcssystems> wrote:
>
>> Joshua Slive wrote:
>> > On 9/16/06, Josh Wyatt <Josh.Wyatt [at] hcssystems> wrote:
>> >> I'd like to use NULL authentication, ciphers, etc to reduce the
>> >> proxyapache <-> oapache SSL overhead. How can I configure oapache and
>> >> proxyapache to use NULL for authentication, ciphers, etc?
>> >
>> >
>> > I don't know the answer to that. I suspect it is impossible without
>> > modifying the configuratio n of oapache to accept null ciphers.
>> >
>> > But in any case, this is silly. Why no just configure oapache to use
>> > ordinary http instead?
>> >
>> > Joshua.
>>
>> I agree it's silly that SSL is required. But it truly is for this
>> application (https is hard-coded as the beginning of all URLs), and
>> it's a COTS application, so we can't change that bit.
>>
>> Now, I absolutely DO have control over oapache's configuration. And
>> as I stated in my initial post, I already tried specifying NULL
>> ciphers with. Quoting my initial post:
>>
>> 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL'
>> on oapache. In oapache's logfiles I get:
>>
>> [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed
>> (server oapache:8888, client proxyapache) (OpenSSL library error follows)
>> [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL
>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive
>> SSLCipherSuite or using DSA server certificate?]
>>
>> Any help you can provide would be greatly appreciated.
>>
>> Thanks,
>> Josh
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe [at] httpd
>> " from the digest: users-digest-unsubscribe [at] httpd
>> For additional commands, e-mail: users-help [at] httpd
>>
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd
|
