mod_ssl 'hides' some openssl ciphers in alpine docker

Question

I have the following dockerfile:

FROM alpine:3.8
RUN apk add --no-cache apache2 apache2-ssl php7-cli php7-apache2 php7-openssl
RUN mkdir /run/apache2/ && \
  echo '<?php \
var_dump(openssl_get_cipher_methods());' > 
/var/www/localhost/htdocs/index.php
CMD ["httpd", "-DFOREGROUND"]

Now, when I access the index.php via apache, I see 40 ciphers, when I run the container with

docker run --rm -p sample php /var/www/localhost/htdocs/index.php

I see 180 ciphers. if I remove the apache2-ssl package and re-try, via apache I now see all 180 ciphers. I've tried to enable all cipher on mod_ssl directives, but nothing helps. I'm specifically interested in stream ciphers of AES (CTR, OFB, CFB)

Thanks

score 1 · Answer 1 · answered Aug 15 '18 at 11:13

You see fewer ciphers, because apache2-ssl has a default configuration with a SSLCipherSuite filters

/etc/apache2/conf.d/ssl.conf

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES:!ADH

The package apache2-ssl depends on libressl and not openssl. libressl is a fork of openssl and is mostly compatible. Cipher suites are displayed for both openssl and libressl with the command openssl ciphers

php7-openssl is a php module originally written against openssl. In Alpine 3.8, php7 is compiled with the option --with-system-ciphers https://git.alpinelinux.org/cgit/aports/tree/community/php7/APKBUILD?h=3.8-stable#n290

Unless an explicit cipherlist is configured, the default cipher list of php7-openssl is used, without verification if they are really supported by /lib/libssl.so https://github.com/php/php-src/blob/PHP-7.2.8/ext/openssl/xp_ssl.c#L1608

The default cipher list in php7-openssl is defined here https://github.com/php/php-src/blob/PHP-7.2.8/ext/openssl/php_openssl.h#L61

I would assume that you can specify the cipherlist in /etc/php7/conf.d/00_openssl.ini in accordance with the configuration file http://php.net/manual/en/context.ssl.php#context.ssl.ciphers

To support the AES block cipher modes CTR, OFB, CFB the /lib/ssl.so library has to support them, so probably you have to rebuild libressl2.7-libssl

mod_ssl 'hides' some openssl ciphers in alpine docker

1 Answers1