httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanjay Kumar Sahu <sanjaysahu.onl...@gmail.com>
Subject Re: [users@httpd] SNI extension for healthchecks
Date Mon, 22 Oct 2018 13:57:44 GMT
HI All !

Currently we are facing critical Apache/Kerberos authentication issue in
our RHEL7 server running with Apache/2.4 upon changing Keytab with Crypto
type=AES256. Previously it's Crypto type=all. Please check following with
the details.

We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application
MediaWiki 1.30.0 running in Apache/2.4
And we never face such issue related to kerberos authentication since we
used the keytab with following cipher algorithm in the encryption method.

(des-cbc-crc)
(des-cbc-md5)
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

Later, the DES crypto type is catagoried in weak crypto type and it's
denied to use in Produciton for security reason.

And we are asked to use the keytab using Advanced Encryption Standard (AES)
Cryptography with either of types (AES128 or AES265) for following cipher
algorithm.

(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

But, unfortunately neither of the keytab encrypted with AES Crypto (AES128
or AES265) are working under Apache/2.4 and throws following error in HTTPD
server Error_log.


Error_log
-----------------
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may
provide more information (, No key table entry found for the SPN)

Please let us know if there is any solution to resolve for the issue.

On Fri, Oct 19, 2018 at 6:57 PM Yann Ylavic <ylavic.dev@gmail.com> wrote:

> Hi Dominik,
>
> sorry for the late response.
>
> On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard
> <Dominik.Stillhard@united-security-providers.ch> wrote:
> >
> > I face the problem, that the sni extension is not set on
> healthcheck-requests to a backend using tls. Because healthchecks are
> negative, this leads to ordinary requests also beeing denied.
> >
> > on the backend server i have the following error:
> >
> > AH02033: No hostname was provided via SNI for a name based virtual host
> >
> > I’ve also investigated it with wireshark, the extionsion is defenitely
> not set.
>
> It should not, see below.
>
> >
> > My config looks as follows:
> []
> >
> >   <Proxy balancer://mycluster lbmethod=byrequests>
> >     BalancerMember https://127.0.0.1:8443
> >     BalancerMember https://127.0.0.1:8444
>
> https://tools.ietf.org/html/rfc6066#section-3 :
>     ...
>     Literal IPv4 and IPv6 addresses are not permitted in "HostName".
>
> So httpd won't set the SNI in your case, I guess "localhost" instead
> of 127.0.0.1 would work...
>
> >
> >     ProxyPreserveHost On
>
> While this is meaningful for forwarded client requests (their "Host:"
> header can be preserved on the backend side, instead of using the one
> from the ProxyPass/BalancerMember directive), it does not apply to
> healthcheck where connections/requests are created on the httpd proxy
> and there is nothing to preserve, so the only hostname/SNI to use in
> the one from ProxyPass/BalancerMember here.
>
> So for healthcheck requests to be accepted by your backend (name based
> virtual host), you need to set real hostnames in BalancerMember(s)
> above, or use "localhost" provided that "ServerAlias localhost" is
> configured on the backend for the relevant vhost.
>
>
> Regards,
> Yann.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

-- 
*Thanks & Regards,*


*Sanjay Kumar Sahu*

Mime
View raw message