Josh.Wyatt at hcssystems
Sep 18, 2006, 9:24 AM
Post #1 of 1
(224 views)
Permalink
|
|
Different direction - WAS: Reverse SSL proxy with NULL cipher on backend?
|
|
To ask a different way, and potentially simplify the question-
On Apache 1.3.x webserver, when I specify the following cipher suite config using:
SSLCipherSuite NULL:eNULL
Apache demands a certificate and keyfile, even though the only valid request is for NULL.
So, the question is, what is the format for NULL certificate files and key files? How do I generate them?
Thanks,
josh
Josh Wyatt wrote:
> Spil Oss wrote:
>
>> Hi Josh,
>>
>> When you say "https is hard-coded as the beginning of all URLs" you
>> mean that that is done in all pages that the webserver generates? In
>> that case you might just address oapache using http, and in apache2's
>> config ProxyPass / http://localhost/.
>>
>> Kind Regards,
>>
>> Spil
>
>
> Hi Spil,
>
> Thank you for your response.
>
> Actually, the logic goes something like this:
> 1. End-human requests a report from the application server.
> 2. The request is handed off to a report server;
> 3. the report server generates the report himself via a special URL on
> the webserver;
> 4. The report retrieval URL is then mangled for security reasons, and
> sent back to the end-human
> 5. a new browser window pops up for the end-human, and retrieves the
> report via mangled URL.
>
> Now, step 3 uses a "hidden" internal URL which gets mangled later on in
> step 4. This mangling action doesn't happen unless SSL is enabled on on
> oapache.
>
> Sounds complicated, and I'm sure R. Goldberg had a hand in this. But
> stage 3 requires SSL.
> Thanks,
> Josh
>
>
>> On 18/09/06, Josh Wyatt <Josh.Wyatt [at] hcssystems> wrote:
>>
>>> Joshua Slive wrote:
>>> > On 9/16/06, Josh Wyatt <Josh.Wyatt [at] hcssystems> wrote:
>>> >> I'd like to use NULL authentication, ciphers, etc to reduce the
>>> >> proxyapache <-> oapache SSL overhead. How can I configure oapache
>>> and
>>> >> proxyapache to use NULL for authentication, ciphers, etc?
>>> >
>>> >
>>> > I don't know the answer to that. I suspect it is impossible without
>>> > modifying the configuratio n of oapache to accept null ciphers.
>>> >
>>> > But in any case, this is silly. Why no just configure oapache to use
>>> > ordinary http instead?
>>> >
>>> > Joshua.
>>>
>>> I agree it's silly that SSL is required. But it truly is for this
>>> application (https is hard-coded as the beginning of all URLs), and
>>> it's a COTS application, so we can't change that bit.
>>>
>>> Now, I absolutely DO have control over oapache's configuration. And
>>> as I stated in my initial post, I already tried specifying NULL
>>> ciphers with. Quoting my initial post:
>>>
>>> 'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL'
>>> on oapache. In oapache's logfiles I get:
>>>
>>> [Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed
>>> (server oapache:8888, client proxyapache) (OpenSSL library error
>>> follows)
>>> [Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL
>>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too
>>> restrictive SSLCipherSuite or using DSA server certificate?]
>>>
>>> Any help you can provide would be greatly appreciated.
>>>
>>> Thanks,
>>> Josh
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe [at] httpd
>>> " from the digest: users-digest-unsubscribe [at] httpd
>>> For additional commands, e-mail: users-help [at] httpd
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe [at] httpd
>> " from the digest: users-digest-unsubscribe [at] httpd
>> For additional commands, e-mail: users-help [at] httpd
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd
|
