HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Badly entered SSL certificate can take down whole apache server (http://www.howtoforge.com/forums/showthread.php?t=57032)

teoverton 23rd April 2012 14:35

Badly entered SSL certificate can take down whole apache server
 
Hi Falko, Till and everybody,

It appears to me that any client in ispconfig3, whether intentionally/maliciously or accidentally can take down the entire apache server (and therefore all client sites) through entering a badly configured ssl certificate for their own site. Is this the case or am I missing something?
Of course, if this is the case, this can be a serious situation where all client sites go down whenever an individual enters their certificate wrongly, and even if an accident they cannot fix it through the web interface if ispconfig is on the same apache server.

Questions:
If this is indeed the case that a badly entered ssl will bring down the entire apache server, then:

Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?

Is there a better way to deal with this that I am missing, or should I file a bug report/ feature request?

Thanks for all the hard work on ispconfig3,
Thomas

PS I've searched the forum and manual and seen that this has happened to other people but have found no solution to stop this from being able to happen...but I have possibly/probably missed something?

till 23rd April 2012 14:54

The problem is that the apache config test functions do not work for ssl certs. ISPConfig is testing already the configuration and does a rollback of the vhost if apache does not restart after a config change. But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.

Quote:

Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?
If you created a website as admin for a client, then the client can not enable ssl by itself.

If you like to hide the ssl tab at all for the client, then add:

if($_SESSION['s']['user']['typ'] == 'admin') {

....

}

around the ssl tab definition in the web_domain.tform.php file.

teoverton 23rd April 2012 16:35

Cheers Till,

Thanks a lot for the help again and the speedy response. I think I'll pull the SSL tab for clients for now as you described, and add certificates myself at their request through the admin interface.

Best Regards,
Thomas

cbj4074 16th November 2012 18:09

Quote:

Originally Posted by till (Post 278029)
... But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.

Till, are you able to provide a specific bug-tracker ticket number for this effort?

I have long been leery of managing SSL certificates in ISPConfig for this very reason (no validation is performed to determine whether or not the key and certificate match).

If this has not been implemented already, it seems that this should be as simple as examining the hashes of each certificate component and ensuring that they all match.

On the command-line, this might look something like the following:

Code:

# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395aed008daf908ba3c447cec3a50db6

Of course, in ISPConfig's case, it may make more sense to pass the certificate strings as they exist in the database to the openssl executable.

If any hash mismatches are present in the output, ISPConfig refuses to save the certificate files to disk and throws an error with specific information as to where the mismatch occurred.

Something like this would be a major step forward for SSL handling in ISPConfig.

till 16th November 2012 20:57

Ispconfig has already ssl cert config protection and rollback implemented, a wrong entered ssl cert can not bring down apache anymore in 3.0.5. if you want to test it, download the 3.0.5 beta.

cbj4074 19th November 2012 16:27

Very nice; this is a pleasant surprise. I'll give the 3.0.5 beta a try sometime this week. Thanks, Till!


All times are GMT +2. The time now is 00:26.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.