1

I have run into an issue where I need to disable DH cipher suites or change the cipher suite priority only to certain IP addresses in Apache 2.4.7.

Reason being is that a system running on JDK7 needs to connect to my web service which requires DH keys to be 1024-bit. Lowering DH key size is not an option as I don't want to open us up to the logjam vulnerability.

Ideally I would like to prioritize AES256-SHA or disable EC cipher suites only in Apache 2.4.7 when serving requests to certain IP addresses.

Thank you.

jscho
  • 19
  • 2

1 Answers1

1

The SSLCipherSuite directive can be used in the Server, VirtualHost, Directory, and even .htaccess contexts. This means that you can set up a separate virtualhost listening on another port, a separate directory ("example.com/JDK7Access"), or even an .htaccess file to allow a different cipher suite at your desired level.

Source: Apache 2.4 module mod_ssl documentation

If you would like to simply prioritize the use of cipher suites, you can issue the SSLHonorCipherOrder directive at either the Server or VirtualHost contexts. This makes Apache prefer the leftmost cipher it can negotiate from your SSLCipherSuite list.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • It is not possible to have a different cipher depending on the path. The path is not contained in the SSL handshake but only in the HTTP request which follows the handshake. So the handshake must first succeed (with a proper cipher) before the path will be known. And I even doubt that you can have a different cipher per VirtualHost, at least not if this host is on the same IP and port (i.e. the same TCP socket). – Steffen Ullrich Jun 04 '15 at 14:03
  • @SteffenUllrich It should re-negotiate based on the path if the current cipher suite is no longer allowed. You would allow the poor cipher globally, then disallow it on other directories. Also, you should look up SNI. It's pretty cool, and the reason why we don't need dedicated IPs for SSL/TLS servers anymore. – Hyppy Jun 04 '15 at 14:05
  • If the initial handshake fails because the cipher is bad then there is no renegotiation. – Steffen Ullrich Jun 04 '15 at 14:06
  • 1
    @SteffenUllrich "You would allow the poor cipher globally". Read. It's certainly not perfect, and I would prefer to just have a separate VirtualHost altogether, but it's an option. – Hyppy Jun 04 '15 at 14:07
  • 1
    Sorry, did not read carefully enough. But I'm not sure if this renegotiation will actually work, since it is sometimes disabled in clients. But the main idea to have a different port is a good one and one might combine it with an iptables/other_pfl rule which redirects traffic from just this single IP to the different port. – Steffen Ullrich Jun 04 '15 at 14:22