[users@httpd] SSL checker reports server vulnerable to BEAST attack

[Robert S]

Hi.

I have run a server test on
https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp.  It
reports that my certificate is installed correctly but the server is
vulnerable to a BEAST attack.  It says "Make sure you have the TLSv1.2
protocol enabled on your server. Disable the RC4, MD5, and DES
algorithms. Contact your web server vendor for assistance."

I believe that I have disabled these protocols - here are the relevant
lines in my config:

SSLEngine on
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite 
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
SSLHonorCipherOrder On

Can anyone help here?

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] dumb apr_pool question

[Simon Walter]

Thanks guys. Interesting info. It really helped.

On 01/12/2018 12:12 AM, Yann Ylavic wrote:
> On Thu, Jan 11, 2018 at 3:05 PM, Eric Covener  wrote:
>> On Thu, Jan 11, 2018 at 3:55 AM, Simon Walter  wrote:
>>>
>>> I suppose that the pool is keeping track of all it's allocations and if
>>> something is still referenced, it will not free it.
>>
>> No the only tracking is done by whoever manages the lifecycle of the
>> pool itself -- no magic.
>>
>> apr_pool_destroy will call free() or munmap or any underlying
>> allocation on the way out, returning it to the OS.
> 
> Actually the memory is returned to the (apr_)allocator, which itself
> may cache for further reuse.
> One can use apr_allocator_max_free_set() to limit the number of pages
> cached (no limit by default), e.g. something like the following code
> based on Simon's (not even compile tested...):
> 
> int main(int ArgCount, char * Arg[])
> {
> char * String;
> apr_pool_t * Pool = NULL;
> apr_allocator_t * Alloc = NULL;
> apr_initialize();
> 
> /* New allocator (not the default/unlimited one) */
> apr_allocator_create(&Alloc);
> /* Cache one page only (may be 4K pages, not system's),
>  * zero is unlimited, so the cache is always 1 page min... */
> apr_allocator_max_free_set(Alloc, 1/*page*/);
> /* Use this allocator for the pool */
> apr_pool_create_ex(&Pool, NULL, NULL, Alloc);
> /* Destroy Alloc when destroying Pool */
> apr_allocator_owner_set(Alloc, Pool);
> 
> 
> /* Won't crash (possibly), don't do that for real... */
> String = apr_pstrdup(Pool, "small alloc");
> apr_pool_clear(Pool);
> printf("String: %s\n", String);
> 
> /* Should crash */
> (void)apr_palloc(Pool, 4100);
> (void)apr_palloc(Pool, 4100);
> (void)apr_palloc(Pool, 4100);
> String = apr_pstrdup(Pool, "small alloc");
> apr_pool_clear(Pool);
> printf("String: %s\n", String);
> 
> /* Should also crash */
> String = apr_pstrdup(Pool, "small alloc");
> apr_pool_destroy(Pool); /* + Alloc */
> printf("String: %s\n", String);
> 
> apr_terminate();
> return 0;
> }
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Re: mod_lua and subprocess_env

[sebb]

Anyone?

On 7 January 2018 at 14:25, sebb  wrote:
> The mod_lua docs state that subprocess_env can be used to access
> process environment variables [1] It appears to imply that the script
> can access standard CGI variables.
>
> However, the only variables that seem to be defined are:
>
> SCRIPT_URI
> SCRIPT_URL
>
> There also does not seem to be a way to enumerate the list of variables.
> (I found the above by trying the names that are visible to Perl and Python)
>
> How does one get at the other variables?
>
> If there is a restriction on what subprocess_env provides, it would be
> helpful if it were documented.
>
> [1] https://httpd.apache.org/docs/trunk/mod/mod_lua.html

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] mod_lua and subprocess_env

[Eric Covener]

On Sun, Jan 7, 2018 at 9:25 AM, sebb  wrote:
> The mod_lua docs state that subprocess_env can be used to access
> process environment variables [1] It appears to imply that the script
> can access standard CGI variables.
>
> However, the only variables that seem to be defined are:
>
> SCRIPT_URI
> SCRIPT_URL
>
> There also does not seem to be a way to enumerate the list of variables.
> (I found the above by trying the names that are visible to Perl and Python)
>
> How does one get at the other variables?
>
> If there is a restriction on what subprocess_env provides, it would be
> helpful if it were documented.
>
> [1] https://httpd.apache.org/docs/trunk/mod/mod_lua.html

The CGI variables are lazily added by the CGI-like handler modules
right before they kick off their scripts.

mod_lua doesn't add them in at any stage (ap_add_cgi_vars())  So there
is very little floating around in subprocess_env.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] SSL checker reports server vulnerable to BEAST attack

[Luca Toscano]

Hi Robert,

2018-01-16 10:21 GMT+01:00 Robert S :

> Hi.
>
> I have run a server test on
> https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp.  It
> reports that my certificate is installed correctly but the server is
> vulnerable to a BEAST attack.  It says "Make sure you have the TLSv1.2
> protocol enabled on your server. Disable the RC4, MD5, and DES
> algorithms. Contact your web server vendor for assistance."
>
> I believe that I have disabled these protocols - here are the relevant
> lines in my config:
>
> SSLEngine on
> SSLProtocol ALL -SSLv2 -SSLv3
> SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
> ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
> AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:
> ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
> ECDSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:
> AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:AES:
> CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!
> PSK:!EDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-
> SHA:!KRB5-DES-CBC3-SHA"
> SSLHonorCipherOrder On
>
> Can anyone help here?
>

IIRC a permanent solution for BEAST was to disable TLS 1.0, but I'd check
https://mozilla.github.io/server-side-tls/ssl-config-generator/ and see how
the above SSLCipherSuite setting can be changed to be up to date.

Hope that helps,

Luca

[users@httpd] SFTP JAIL

[Rodrigo Cunha]

Hi everyone,
I have a problem with setup sftp access.My sftp user can't  jaule.
I configure setup with this procedures:
https://wiki.archlinux.org/index.php/SFTP_chroot
But when i setup my user webmaster in group sftponly my client is not work.

Any feedback would be greatly appreciated.Tks

-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil



Livre
de vírus. www.avast.com
.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

Re: [users@httpd] SFTP JAIL

[Yehuda Katz]

You should try asking in an OpenSSH forum, a forum for your operating
system, or ServerFault. This list is for Apache HTTPD support.

- Y

Sent from a device with a very small keyboard and hyperactive autocorrect.

On Jan 16, 2018 8:51 AM, "Rodrigo Cunha"  wrote:

> Hi everyone,
> I have a problem with setup sftp access.My sftp user can't  jaule.
> I configure setup with this procedures:
> https://wiki.archlinux.org/index.php/SFTP_chroot
> But when i setup my user webmaster in group sftponly my client is not work.
>
> Any feedback would be greatly appreciated.Tks
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
> São Gonçalo, RJ - Brasil
>
>
>
> 
>  Livre
> de vírus. www.avast.com
> .
> <#m_-6368862612387619786_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>

Re: [users@httpd] SFTP JAIL

[Luca Toscano]

Hi Rodrigo,

2018-01-16 14:51 GMT+01:00 Rodrigo Cunha :

> Hi everyone,
> I have a problem with setup sftp access.My sftp user can't  jaule.
> I configure setup with this procedures:
> https://wiki.archlinux.org/index.php/SFTP_chroot
> But when i setup my user webmaster in group sftponly my client is not work.
>
> Any feedback would be greatly appreciated.Tks
>

You have probably got the wrong list, this is for the Apache httpd
webserver :)

Luca

Re: [users@httpd] SFTP JAIL

[Rodrigo Cunha]

Tks,
but Jail is important for many apache users, in layer of security, when a
user send files to remote server.


Livre
de vírus. www.avast.com
.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

2018-01-16 12:00 GMT-02:00 Luca Toscano :

> Hi Rodrigo,
>
> 2018-01-16 14:51 GMT+01:00 Rodrigo Cunha :
>
>> Hi everyone,
>> I have a problem with setup sftp access.My sftp user can't  jaule.
>> I configure setup with this procedures:
>> https://wiki.archlinux.org/index.php/SFTP_chroot
>> But when i setup my user webmaster in group sftponly my client is not
>> work.
>>
>> Any feedback would be greatly appreciated.Tks
>>
>
> You have probably got the wrong list, this is for the Apache httpd
> webserver :)
>
> Luca
>
>


-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

Re: [users@httpd] SFTP JAIL

[Eric Covener]

On Tue, Jan 16, 2018 at 9:37 AM, Rodrigo Cunha 
wrote:

> Tks,
> but Jail is important for many apache users, in layer of security, when a
> user send files to remote server.
>

​So is a CPU, and oxygen. That doesn't really make them topical.
​

>
>
> 
>  Livre
> de vírus. www.avast.com
> .
> <#m_3618958776042651728_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
> 2018-01-16 12:00 GMT-02:00 Luca Toscano :
>
>> Hi Rodrigo,
>>
>> 2018-01-16 14:51 GMT+01:00 Rodrigo Cunha :
>>
>>> Hi everyone,
>>> I have a problem with setup sftp access.My sftp user can't  jaule.
>>> I configure setup with this procedures:
>>> https://wiki.archlinux.org/index.php/SFTP_chroot
>>> But when i setup my user webmaster in group sftponly my client is not
>>> work.
>>>
>>> Any feedback would be greatly appreciated.Tks
>>>
>>
>> You have probably got the wrong list, this is for the Apache httpd
>> webserver :)
>>
>> Luca
>>
>>
>
>
> --
> Atenciosamente,
> Rodrigo da Silva Cunha
> São Gonçalo, RJ - Brasil
>
>


-- 
Eric Covener
cove...@gmail.com

Re: [users@httpd] SFTP JAIL

[Darryl Philip Baker]

Yes that may be true but that is an issue for the OpenSSH list since it is the 
SSH/SFTP client not for the Apache list.

Darryl Baker
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
darryl.ba...@northwestern.edu
(847) 467-6674

From: Rodrigo Cunha 
Reply-To: "users@httpd.apache.org" 
Date: Tuesday, January 16, 2018 at 8:37 AM
To: "users@httpd.apache.org" 
Subject: Re: [users@httpd] SFTP JAIL

Tks,
but Jail is important for many apache users, in layer of security, when a user 
send files to remote server.

[Image removed by 
sender.]

Livre de vírus. 
www.avast.com.


2018-01-16 12:00 GMT-02:00 Luca Toscano 
mailto:toscano.l...@gmail.com>>:
Hi Rodrigo,

2018-01-16 14:51 GMT+01:00 Rodrigo Cunha 
mailto:rodrigo.root...@gmail.com>>:
Hi everyone,
I have a problem with setup sftp access.My sftp user can't  jaule.
I configure setup with this procedures:
https://wiki.archlinux.org/index.php/SFTP_chroot
But when i setup my user webmaster in group sftponly my client is not work.

Any feedback would be greatly appreciated.Tks

You have probably got the wrong list, this is for the Apache httpd webserver :)

Luca




--
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

Re: [users@httpd] SFTP JAIL

[Rodrigo Cunha]

Tks, please how i closed or delete this topc?!


Livre
de vírus. www.avast.com
.
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

2018-01-16 12:41 GMT-02:00 Darryl Philip Baker <
darryl.ba...@northwestern.edu>:

> Yes that may be true but that is an issue for the OpenSSH list since it is
> the SSH/SFTP client not for the Apache list.
>
>
>
> *Darryl Baker*
>
> Sr. System Administrator
>
> Distributed Application Platform Services
>
> *Northwestern University*
>
> 1800 Sherman Ave.
> 
>
> Suite 6
> -600
> – Box #39
>
> Evanston, IL  60201-3715
>
> *darryl.ba...@northwestern.edu *
>
> (847) 467-6674
>
>
>
> *From: *Rodrigo Cunha 
> *Reply-To: *"users@httpd.apache.org" 
> *Date: *Tuesday, January 16, 2018 at 8:37 AM
> *To: *"users@httpd.apache.org" 
> *Subject: *Re: [users@httpd] SFTP JAIL
>
>
>
> Tks,
> but Jail is important for many apache users, in layer of security, when a
> user send files to remote server.
>
>
>
> [image: Image removed by sender.]
> 
>
> Livre de vírus. www.avast.com
> .
>
>
>
>
> 2018-01-16 12:00 GMT-02:00 Luca Toscano :
>
> Hi Rodrigo,
>
>
>
> 2018-01-16 14:51 GMT+01:00 Rodrigo Cunha :
>
> Hi everyone,
>
> I have a problem with setup sftp access.My sftp user can't  jaule.
>
> I configure setup with this procedures:
> https://wiki.archlinux.org/index.php/SFTP_chroot
> 
>
> But when i setup my user webmaster in group sftponly my client is not work.
>
>
> Any feedback would be greatly appreciated.Tks
>
>
>
> You have probably got the wrong list, this is for the Apache httpd
> webserver :)
>
>
>
> Luca
>
>
>
>
>
>
>
> --
>
> Atenciosamente,
> Rodrigo da Silva Cunha
>
> São Gonçalo, RJ - Brasil
>
>
>



-- 
Atenciosamente,
Rodrigo da Silva Cunha
São Gonçalo, RJ - Brasil

[users@httpd] Re: SFTP JAIL

[Jonesy]

On Tue, 16 Jan 2018 12:37:27 -0200, Rodrigo Cunha wrote:
>
> but Jail is important for many apache users, 

So is beer.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org