Yann Ylavic"
> An: users@httpd.apache.org
> Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote:
> >
> > I thought about something like that as cause, but since the client IP is
> >
ation.
Gesendet: Donnerstag, 25. Februar 2021 um 13:55 Uhr
Von: "Brian Wolfe"
An: users@httpd.apache.org
Betreff: Re: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
The question is if the "If/Else" block is being evaluated. I suspect it is, but the selected CipherSui
The question is if the "If/Else" block is being evaluated. I suspect it is,
but the selected CipherSuites are not available and therefore the global
setting is used to negotiate.
On Thu, Feb 25, 2021 at 7:50 AM Yann Ylavic wrote:
> On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe
> wrote:
> >
> > Ar
On Thu, Feb 25, 2021 at 1:44 PM Brian Wolfe wrote:
>
> Are you sure that you have any MD5 ciphers enabled.
Wrong thread?
Regards;
Yann.
-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mai
Are you sure that you have any MD5 ciphers enabled. Most of them are
disabled nowadays. For example on my OSX I only have 1 MD5 available:
:~ $ openssl ciphers -v
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=E
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote:
>
> I thought about something like that as cause, but since the client IP is
> known from the very first start of the request, before TLS handshake, I
> thought it could be evaluated.
Yes but to determine the context from which the takes p
On Wed, Feb 24, 2021 at 6:01 PM Hildegard Meier wrote:
[...]
> Could it be possible another way to give clients of a specific vHost
> different SSLCipherSuite's depending on their IP address? (cipher of first
> handshake, no renegotiation)
You can work around this by setting up a separate vhost
tpd.apache.org
> Betreff: Re: [users@httpd] Set SSLCipherSuite dependent on client IP
>
> > Why does this not work?
>
> is evaluated early in request processing, long after the
> handshake. However, the manual says:
> In per-directory context it forces a SSL renegotiation wit
> Why does this not work?
is evaluated early in request processing, long after the
handshake. However, the manual says:
In per-directory context it forces a SSL renegotiation with the
reconfigured Cipher Suite after the HTTP request was read but before
the HTTP response is sent.
I suggest testin
