Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd April 2012, 14:35
teoverton teoverton is offline
Junior Member
 
Join Date: Mar 2011
Posts: 9
Thanks: 4
Thanked 0 Times in 0 Posts
Default Badly entered SSL certificate can take down whole apache server

Hi Falko, Till and everybody,

It appears to me that any client in ispconfig3, whether intentionally/maliciously or accidentally can take down the entire apache server (and therefore all client sites) through entering a badly configured ssl certificate for their own site. Is this the case or am I missing something?
Of course, if this is the case, this can be a serious situation where all client sites go down whenever an individual enters their certificate wrongly, and even if an accident they cannot fix it through the web interface if ispconfig is on the same apache server.

Questions:
If this is indeed the case that a badly entered ssl will bring down the entire apache server, then:

Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?

Is there a better way to deal with this that I am missing, or should I file a bug report/ feature request?

Thanks for all the hard work on ispconfig3,
Thomas

PS I've searched the forum and manual and seen that this has happened to other people but have found no solution to stop this from being able to happen...but I have possibly/probably missed something?

Last edited by teoverton; 23rd April 2012 at 14:36. Reason: typo
Reply With Quote
Sponsored Links
  #2  
Old 23rd April 2012, 14:54
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,213 Times in 4,088 Posts
Default

The problem is that the apache config test functions do not work for ssl certs. ISPConfig is testing already the configuration and does a rollback of the vhost if apache does not restart after a config change. But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.

Quote:
Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?
If you created a website as admin for a client, then the client can not enable ssl by itself.

If you like to hide the ssl tab at all for the client, then add:

if($_SESSION['s']['user']['typ'] == 'admin') {

....

}

around the ssl tab definition in the web_domain.tform.php file.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 23rd April 2012 at 16:39. Reason: typos
Reply With Quote
The Following User Says Thank You to till For This Useful Post:
teoverton (23rd April 2012)
  #3  
Old 23rd April 2012, 16:35
teoverton teoverton is offline
Junior Member
 
Join Date: Mar 2011
Posts: 9
Thanks: 4
Thanked 0 Times in 0 Posts
Default

Cheers Till,

Thanks a lot for the help again and the speedy response. I think I'll pull the SSL tab for clients for now as you described, and add certificates myself at their request through the admin interface.

Best Regards,
Thomas
Reply With Quote
  #4  
Old 16th November 2012, 18:09
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default

Quote:
Originally Posted by till View Post
... But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.
Till, are you able to provide a specific bug-tracker ticket number for this effort?

I have long been leery of managing SSL certificates in ISPConfig for this very reason (no validation is performed to determine whether or not the key and certificate match).

If this has not been implemented already, it seems that this should be as simple as examining the hashes of each certificate component and ensuring that they all match.

On the command-line, this might look something like the following:

Code:
# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395aed008daf908ba3c447cec3a50db6
Of course, in ISPConfig's case, it may make more sense to pass the certificate strings as they exist in the database to the openssl executable.

If any hash mismatches are present in the output, ISPConfig refuses to save the certificate files to disk and throws an error with specific information as to where the mismatch occurred.

Something like this would be a major step forward for SSL handling in ISPConfig.
Reply With Quote
  #5  
Old 16th November 2012, 20:57
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,446
Thanks: 813
Thanked 5,213 Times in 4,088 Posts
Default

Ispconfig has already ssl cert config protection and rollback implemented, a wrong entered ssl cert can not bring down apache anymore in 3.0.5. if you want to test it, download the 3.0.5 beta.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 19th November 2012, 16:27
cbj4074 cbj4074 is offline
Senior Member
 
Join Date: Nov 2010
Posts: 386
Thanks: 28
Thanked 58 Times in 50 Posts
Default

Very nice; this is a pleasant surprise. I'll give the 3.0.5 beta a try sometime this week. Thanks, Till!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ISPConfig3 mail doesn't work pehden Installation/Configuration 20 9th December 2013 14:05
haproxy with stunnel problem abubin Server Operation 6 10th April 2012 15:08
Apache hangs without traffic Thesee General 21 27th September 2011 23:43
Can't start apache Musty Server Operation 12 9th March 2008 13:58
SSL for virtual hosts on one certificate rbartz Tips/Tricks/Mods 8 20th November 2007 17:59


All times are GMT +2. The time now is 18:59.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.