Badly entered SSL certificate can take down whole apache server

[teoverton]

Hi Falko, Till and everybody,

It appears to me that any client in ispconfig3, whether intentionally/maliciously or accidentally can take down the entire apache server (and therefore all client sites) through entering a badly configured ssl certificate for their own site. Is this the case or am I missing something?
Of course, if this is the case, this can be a serious situation where all client sites go down whenever an individual enters their certificate wrongly, and even if an accident they cannot fix it through the web interface if ispconfig is on the same apache server.

Questions:
If this is indeed the case that a badly entered ssl will bring down the entire apache server, then:

Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?

Is there a better way to deal with this that I am missing, or should I file a bug report/ feature request?

Thanks for all the hard work on ispconfig3,
Thomas

PS I've searched the forum and manual and seen that this has happened to other people but have found no solution to stop this from being able to happen...but I have possibly/probably missed something?

[till]

The problem is that the apache config test functions do not work for ssl certs. ISPConfig is testing already the configuration and does a rollback of the vhost if apache does not restart after a config change. But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.

Quote:

Is there a way to remove ssl functionality from the clients control panels in order to block this from happening with or without hacking core?

If you created a website as admin for a client, then the client can not enable ssl by itself.

If you like to hide the ssl tab at all for the client, then add:

if($_SESSION['s']['user']['typ'] == 'admin') {

....

}

around the ssl tab definition in the web_domain.tform.php file.

[teoverton]

Cheers Till,

Thanks a lot for the help again and the speedy response. I think I'll pull the SSL tab for clients for now as you described, and add certificates myself at their request through the admin interface.

Best Regards,
Thomas

[cbj4074]

Quote:

Originally Posted by till

... But this rollback is implemented for apache config changes only and not syntax errors in ssl certs, for ssl certs such a implementation is already on our todo list.

Till, are you able to provide a specific bug-tracker ticket number for this effort?

I have long been leery of managing SSL certificates in ISPConfig for this very reason (no validation is performed to determine whether or not the key and certificate match).

If this has not been implemented already, it seems that this should be as simple as examining the hashes of each certificate component and ensuring that they all match.

On the command-line, this might look something like the following:

Code:

# openssl x509 -noout -modulus -in /var/www/example.com/ssl/example.com.crt | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl rsa -noout -modulus -in /var/www/example.com/ssl/example.com.key | openssl md5
395aed008daf908ba3c447cec3a50db6
# openssl req -noout -modulus -in /var/www/example.com/ssl/example.com.csr | openssl md5
395aed008daf908ba3c447cec3a50db6

Of course, in ISPConfig's case, it may make more sense to pass the certificate strings as they exist in the database to the openssl executable.

If any hash mismatches are present in the output, ISPConfig refuses to save the certificate files to disk and throws an error with specific information as to where the mismatch occurred.

Something like this would be a major step forward for SSL handling in ISPConfig.

[till]

Ispconfig has already ssl cert config protection and rollback implemented, a wrong entered ssl cert can not bring down apache anymore in 3.0.5. if you want to test it, download the 3.0.5 beta.

[cbj4074]

Very nice; this is a pleasant surprise. I'll give the 3.0.5 beta a try sometime this week. Thanks, Till!