0

I ran in some trouble today after spinning up a new server. I did the following:

  • Installed CentOS 7
  • Installed Apache + PHP
  • Securing my server with SSL (letsencrypt)

But when I checked my configuration with an SSL-Test (ssllabs.com) I got a grade C. It was because I still had SSLv3 enabled. Wired. I had disabled it in the letsencrypt configuration file.

But after some time I found out, that there is another ssl-config file. SSLv3 was not disabled there by default and Apache loaded this value.

My problem is I got 2 files:

  • /etc/letsencrypt/options-ssl-apache.conf: Let's Encrypt configuration file, which is included in every virtual host definition.
  • /etc/httpd/conf.d/ssl.conf: The "standard" SSL configuration file.

After disabling SSLv3 in the "standard" config I got an A+ rating. It seems that Apache grabbed the "SSLProtocol" definition from the second file, but all other options from the first file.

How can I determine, which values Apache is loading and from which file?

techraf
  • 4,163
  • 8
  • 27
  • 44
LuMa
  • 247
  • 4
  • 13

2 Answers2

1

Unless you took specific actions to include the /etc/letsencrypt/options-ssl-apache.conf file then the standard CentOS configuration will not read it.

The default for CentOS is to read /etc/https/conf/httpd.conf which in turn includes files from /etc/httpd/conf.d.

I suspect you have taken no specific actions and are using the default files. You can confirm what's actually happening by looking for include statements in your config files and the files they include.

Apache httpd directives are processed in the order they are declared. Include files are processed at the point they are declared. Duplicate directives declared later override earlier directives.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • As I said priviously, I included `etc/letsencrypt/options-ssl-apache.conf` in every VHost configuration. So why does the `/etc/httpd/conf.d/ssl.conf` affect my domain.com vhost with included letsencrypt ssl config? – LuMa Mar 06 '16 at 14:49
  • Actually you don't say that. You just say you have 2. Later duplicate directives over rule earlier ones I guess but haven't had an opportunity to test. Quicj google - http://lifeonubuntu.com/what-is-the-apache-directive-order-of-precedence/ point 3 – user9517 Mar 06 '16 at 15:03
  • Another interesting thing: I have applied a subdomain wildcard in my dns settings and I have a default vhost configuration.When I access for example 123.domain.tld (note: no vhost configured for that!) I get served by the default host. But I get also redirected to https and I can't tell why. – LuMa Mar 06 '16 at 16:11
  • That's not interesting, it's entirely dull and gets asked here weekly. Go do some research on apache vhosts, what the order of precedence is and what happens when there is no match with the host header. – user9517 Mar 06 '16 at 16:14
  • Thanks for the hint. I think that helped me solve my problem. The letsencrypt config is included in every vhost, expect the default ("catch-all") one. But there is a default https vhost defined in `/etc/httpd/conf.d/ssl.conf`. What happens is, that the SSL-Test resolves my hostname (domain.tld) and tests the server behind the ipv4 and ipv6 addresses. And those ip's are served by the default vhost. And this vhost is defined in `/etc/httpd/conf.d/ssl.conf` where SSLv3 was still enabled :) At least that's the theory. Sounds valid to me. – LuMa Mar 06 '16 at 16:41
0

Yes, Apache will use the SSLProtocol configuration defined in ssl.conf only, due to a bug in OpenSSL, as explained here:

Is it possible to set an SSLProtocol in Apache for a single VirtualHost (poodle)?

In my experience with Apache 2.2.15, it seems to be the only SSL configuration which will not load from the vhost.conf file, although I have not tested all possible configurations. However, if you want to check by yourself what is configured in your server, without using SSL Server Test, some browser tools like CipherFox will be useful for you.

aldemarcalazans
  • 111
  • 4