Chicken and Egg

Chicken and Egg

am 24.10.2002 15:06:04 von Roman Ivanov

Hello All!

I've just installed modssl. I want to clarify chicken and egg problem
for me.
I use modssl only for internal purposes so I use 1 self maded
certificate on two cites.
It is not problem that certificate does not match the site name.
I have in httpd.conf:


ServerName A
....other directives...



ServerName B
....other directives...


In logs:
[...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...)
vs. B:443 (httpd.conf:...)
[...] [warn] Init: You should not use name-based virtual hosts in
conjunction with SSL!!


But https://B works and https://A works too.

Q
My question is: I didn't meet chicken and egg problem here because I
share one certificate between two servers?
Am I right?


Regards.
Roman Ivanov
CIS HQ SAMSUNG ELECTRONICS CO., LTD
web-master
TEL: +7-(095)-7972309
ICQ UIN #8160057

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Chicken and Egg

am 24.10.2002 15:21:49 von Barry Smoke

I have been wondering the same thing...
I have thought about self signing a couple and trying it out.


On Thu, 2002-10-24 at 08:06, Roman Ivanov wrote:
> Hello All!
>
> I've just installed modssl. I want to clarify chicken and egg problem
> for me.
> I use modssl only for internal purposes so I use 1 self maded
> certificate on two cites.
> It is not problem that certificate does not match the site name.
> I have in httpd.conf:
>
>
> ServerName A
> ...other directives...
>
>
>
> ServerName B
> ...other directives...
>

>
> In logs:
> [...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...)
> vs. B:443 (httpd.conf:...)
> [...] [warn] Init: You should not use name-based virtual hosts in
> conjunction with SSL!!
>
>
> But https://B works and https://A works too.
>
> Q
> My question is: I didn't meet chicken and egg problem here because I
> share one certificate between two servers?
> Am I right?
>
>
> Regards.
> Roman Ivanov
> CIS HQ SAMSUNG ELECTRONICS CO., LTD
> web-master
> TEL: +7-(095)-7972309
> ICQ UIN #8160057
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Chicken and Egg

am 24.10.2002 16:18:16 von Boyle Owen

What you see is predictable - your setup appears to work because apache
fetches the certificate from the first VH (since it can't tell which VH
to use). Once it gets a cert, it can then establish an SSL sssion and so
can then see inside the HTTP request. It can then see the Host header
and serve up the correct VH.

However, this is not a solution for the real world because, as you
observe, whenever you request the second VH, apache will use the cert
from the first VH and so the browser will report a conflict.

The way you have it set up leaves you vulnerable to man-in-the-middle
exploits since you have lost the *authentication* aspect of SSL. This is
equally as important as encryption. For example, imagine you sent your
money to be bank in a armoured car, but the bank turned out just to be a
front door...

I guess you will say, "but it's just a lab setup, I don't care about
authentication" - well that's fine, but why then do you need encryption?


-----Original Message-----
From: Roman Ivanov [mailto:ivanov_r@samsung.ru]
Sent: Donnerstag, 24. Oktober 2002 15:06
To: modssl-users@modssl.org
Subject: Chicken and Egg


Hello All!

I've just installed modssl. I want to clarify chicken and egg problem
for me.
I use modssl only for internal purposes so I use 1 self maded
certificate on two cites.
It is not problem that certificate does not match the site name.
I have in httpd.conf:


ServerName A
....other directives...



ServerName B
....other directives...


In logs:
[...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...)
vs. B:443 (httpd.conf:...)
[...] [warn] Init: You should not use name-based virtual hosts in
conjunction with SSL!!


But https://B works and https://A works too.

Q
My question is: I didn't meet chicken and egg problem here because I
share one certificate between two servers?
Am I right?


Regards.
Roman Ivanov
CIS HQ SAMSUNG ELECTRONICS CO., LTD
web-master
TEL: +7-(095)-7972309
ICQ UIN #8160057

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Chicken and Egg

am 24.10.2002 16:45:24 von Cabuzel Thierry

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C27B6B.FC5E49B0
Content-Type: text/plain;
charset="iso-8859-1"

> -----Original Message-----
> From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> Sent: jeudi 24 octobre 2002 16:18
> To: modssl-users@modssl.org
> Subject: RE: Chicken and Egg
>
> I guess you will say, "but it's just a lab setup, I don't care about
> authentication" - well that's fine, but why then do you need
> encryption?

Perhaps he don't need encryption too :) I am seting up a web folder on my
web server with mod_dav. But the firewall of my company is soo old (well no
comment :))that he doesn't reconize some of the extension of then HTTP 1.1
protocol needed by mod_dav. He react to this by blocking theses request
rendering my web folder unuseable. My only work around, is to put my folder
in a ssl channel to go through the firewall letting him pass because he
can't control what's going on :) I just need the ssl channel. I don't bother
about the encryption (nothing would be enough as long as the firewall don't
try to block me) and less about of the authentification :)

------_=_NextPart_001_01C27B6B.FC5E49B0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable




charset=3Diso-8859-1">
5.5.2653.12">
RE: Chicken and Egg



> -----Original Message-----

> From: Boyle Owen [ HREF=3D"mailto:Owen.Boyle@swx.com">mailto:Owen.Boyle@swx.com]=


> Sent: jeudi 24 octobre 2002 16:18

> To: modssl-users@modssl.org

> Subject: RE: Chicken and Egg

>

> I guess you will say, "but it's just a lab =
setup, I don't care about


> authentication" - well that's fine, but =
why then do you need


> encryption?



Perhaps he don't need encryption too :) I am seting =
up a web folder on my web server with mod_dav. But the firewall of my =
company is soo old (well no comment :))that he doesn't reconize some of =
the extension of then HTTP 1.1 protocol needed by mod_dav. He react to =
this by blocking theses request rendering my web folder unuseable. My =
only work around, is to put my folder in a ssl channel to go through =
the firewall letting him pass because he can't control what's going on =
:) I just need the ssl channel. I don't bother about the encryption =
(nothing would be enough as long as the firewall don't try to block me) =
and less about of the authentification :)





------_=_NextPart_001_01C27B6B.FC5E49B0--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Chicken and Egg

am 24.10.2002 17:27:40 von dufresne

On Thu, 24 Oct 2002, Cabuzel Thierry wrote:

> > -----Original Message-----
> > From: Boyle Owen [mailto:Owen.Boyle@swx.com]
> > Sent: jeudi 24 octobre 2002 16:18
> > To: modssl-users@modssl.org
> > Subject: RE: Chicken and Egg
> >
> > I guess you will say, "but it's just a lab setup, I don't care about
> > authentication" - well that's fine, but why then do you need
> > encryption?
>
> Perhaps he don't need encryption too :) I am seting up a web folder on my
> web server with mod_dav. But the firewall of my company is soo old (well no
> comment :))that he doesn't reconize some of the extension of then HTTP 1.1
> protocol needed by mod_dav. He react to this by blocking theses request
> rendering my web folder unuseable. My only work around, is to put my folder
> in a ssl channel to go through the firewall letting him pass because he
> can't control what's going on :) I just need the ssl channel. I don't bother
> about the encryption (nothing would be enough as long as the firewall don't
> try to block me) and less about of the authentification :)
>

If you are gaining ssl/https, you have encryption, you just do not have
authentication. Thus you are tunneling the required needs ot the mod_dav
traffic within the encrypted ssl space to achieve your means of
circumventing the firewall/proxy wishes. You might well be better off
here working with the firewall/proxy admin to define the needs and open
the proxy to serve them properly. Otherwise, if you are circumventing
policy, you might find your access in deeper troubles once the
circumvention is discovered.

Owens' advise to the previous, primary requestor in this thread to good,
he suggests that that person actually do thing right and correct, to get
full use of what he has compiled and is trying to design, rather then
working with a semi-broken implimentation that does not fully grant the
authentication the clients of the website are going to trust and want.

Thanks,


Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org