[BlueOnyx:21810] Re: Strange SSL Error

Michael Stauber mstauber at blueonyx.it
Sun Mar 4 13:23:59 -05 2018 

Hi Michael,

> After Yum Update the problem is fixed!

Very well. I do have yet another base-apache update in the pipe, but I
held off publishing that as I don't want to release it over a weekend.

I admit that I'm fishing in the dark here as to the real root of the
problem. Even when I have a server that in fact exhibits the problem all
diagnostics that can perform seem to confirm that the configuration is
correct and that Apache has no logical reason to misbehave, yet it does:

- VirtualHost has correct cert configuration in siteX file.
- /cert of Vsite has correct private, public and intermediates.
- "httpd -S" confirms the VirtualHost has SSL enabled:

5208R:
wildcard NameVirtualHosts and _default_ servers:
*:80                   5208r.smd.net (mod_perl:2)
*:443                  is a NameVirtualHost
    default server 5208r.smd.net (mod_perl:12)
    port 443 namevhost 5208r.smd.net (mod_perl:12)
    port 443 namevhost 5208r1.smd.net (/etc/httpd/conf/vhosts/site2:66)

5209R:
38.114.102.16:443      is a NameVirtualHost
    default server 5209r.smd.net (mod_perl:59)
    port 443 namevhost 5209r.smd.net (mod_perl:59)
    port 443 namevhost 5209r1.smd.net (/etc/httpd/conf/vhosts/site1:81)
    port 443 namevhost 5209r2.smd.net (/etc/httpd/conf/vhosts/site2:78)

- access_log confirms the GET request goes to the right Vsite.

Of course the cert problem happens in the TLS negotiating stage before
the GET request takes place.

I even went back and simulated the whole TLS negotiating stage and GET
request via OpenSSL and some Perl scripting to get as much insight into
what really goes on under the hood as possible and recorded the whole
TCP/IP session via NMAP. I can see that it goes off the rails, yet don't
understand why.

So I ditched everything I know or assumed about Apache's SSL
implementation and went with a fine toothed comb through the Apache
documentation to piece together a "best practices" approach.

This entails using again ...

    NameVirtualHost *:$httpPort
    NameVirtualHost *:$sslPort

... on 5207R/5208R (but not on 5209R where it's deprecated),
specifically declaring ...

    Listen 443 https
    ... instead of ...
    Listen 443

... throwing in sensible extra declared "SSLOptions" such as these ...

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

... and to make sure all SSL related config directives are loaded very
early before anything else, such as  SSLStapling (which we can only use
on 5209R). That also means moving all non-standard SSL related stuff
from /etc/httpd/conf.d/ssl_bx.conf to the new
/etc/httpd/conf.perl/00-default-vsite.pl

The non-standard stuff being only the OCSP stapling, declaring
"SSLStrictSNIVHostCheck off" and turning SSLCompression off.

SSLStrictSNIVHostCheck: This directive sets whether a non-SNI client is
allowed to access a name-based virtual host. If set to on in the default
name-based virtual host, clients that are SNI unaware will not be
allowed to access any virtual host, belonging to this particular IP /
port combination. If set to on in any other virtual host, SNI unaware
clients are not allowed to access this particular virtual host.

If anyone has any further ideas or insights, I'd be happy to hear them.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list