From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] force transport encryption for WebUI logins
Date: Sat, 23 Sep 2017 20:26:46 +0100
Message-ID: <1506194806.18494.64.camel@ipfire.org>
In-Reply-To: <1221F4D5-A4CB-401F-B6F9-78D49B82E1FC@rymes.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5584222807807071856=="
List-Id: <development.lists.ipfire.org>

--===============5584222807807071856==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

On Sat, 2017-09-23 at 15:18 -0400, Tom Rymes wrote:
> That makes sense to me. One step at a time!
>=20
> > On Sep 23, 2017, at 2:19 PM, Peter M=C3=BCller <peter.mueller(a)link38.eu=
> wrote:
> >=20
> > Hello Matthias,
> >=20
> > your described scenario does not appear on my machine. :-(
> >=20
> > However, the "Require ssl" directive seems not to work with the
> > 2.2.x branch, here, we still need the old "SSLRequireSSL". (On
> > the other hand, it was intended to be used with the new version.)
> >=20
> > Which version are you running?
> >=20
> > I think the best solution for now is to disregard this patch.
> > After the Core Update with 2.4.27 version was released, I'll
> > give it another try.

Well, the update for Apache 2.4 is in next right now.

If there is any doubt on whether SSL is always enforced or not we should
investigate as soon as possible. I don't think that we should wait too much
longer with the entire update any ways, but this certainly delays it.

Best,
-Michael

> >=20
> > @All: Anybody against or in favor?
> >=20
> > Best regards,
> > Peter M=C3=BCller
> >=20
> > > Hello Matthias,
> > >=20
> > > tanks for reporting this. I am trying to reproduce here...
> > >=20
> > > Best regards,
> > > Peter M=C3=BCller
> > >=20
> > > > Hi Peter,
> > > >=20
> > > > Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
> > > >=20
> > > > During testing I found that every machine in my GREEN net was suddenly
> > > > able to login through https://[IPFIRE_GREEN_ADDRESS]:[444].
> > > >=20
> > > > No question for admin-username, no password authentification request,
> > > > nothing.
> > > >=20
> > > > It seems as as if the Authentication Header is missing(?).
> > > >=20
> > > > Only when I remove the "Require ssl" lines (I did this in both files)=
, a
> > > > browser restart leads to the usual login procedure.
> > > >=20
> > > > Best,
> > > > Matthias
> > > >=20
> > > > > On 08.09.2017 19:19, Peter M=C3=BCller wrote: =20
> > > > > Force SSL/TLS for any WebUI directory which requires an
> > > > > authentication.
> > > > > This prevents credentials from being transmitted in plaintext, which
> > > > > is
> > > > > an information leak.
> > > > >=20
> > > > > Scenario: A MITM attacker might block all encrypted traffic to the
> > > > > firewall's web interface, making the administrator using an
> > > > > unencrypted
> > > > > connection (i.e. via port 81). Username and password can be easily
> > > > > logged in transit then.
> > > > >=20
> > > > > Signed-off-by: Peter M=C3=BCller <peter.mueller(a)link38.eu>
> > > > > ---
> > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > index 6f353962e..5ceaa1f32 100644
> > > > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> > > > > @@ -24,6 +26,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user admin
> > > > > +        Require ssl
> > > > >     </DirectoryMatch>
> > > > >     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > >     <Directory /srv/web/ipfire/cgi-bin>
> > > > > @@ -33,6 +36,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user admin
> > > > > +        Require ssl
> > > > >         <Files chpasswd.cgi>
> > > > >             Require all granted
> > > > >         </Files>
> > > > > @@ -50,6 +54,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user dial admin
> > > > > +        Require ssl
> > > > >     </Directory>
> > > > >     <Files ~ "\.(cgi|shtml?)$">
> > > > >    SSLOptions +StdEnvVars
> > > > > @@ -86,5 +91,6 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user admin
> > > > > +        Require ssl
> > > > >     </Directory>
> > > > > </VirtualHost>
> > > > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > index 619f90fcc..58d1b54cd 100644
> > > > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> > > > > @@ -16,6 +16,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user admin
> > > > > +        Require ssl
> > > > >     </DirectoryMatch>
> > > > >     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> > > > >     <Directory /srv/web/ipfire/cgi-bin>
> > > > > @@ -25,6 +26,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user admin
> > > > > +        Require ssl
> > > > >          <Files chpasswd.cgi>
> > > > >             Require all granted
> > > > >         </Files>
> > > > > @@ -42,6 +44,7 @@
> > > > >         AuthType Basic
> > > > >         AuthUserFile /var/ipfire/auth/users
> > > > >         Require user dial admin
> > > > > +        Require ssl
> > > > >     </Directory>
> > > > >     Alias /updatecache/ /var/updatecache/
> > > > >    <Directory /var/updatecache>
> > > > >=20
> >=20
> >=20

--===============5584222807807071856==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUU1L3JXNWwzR0dl
Mnlwa3R4Z0hudy8yK1FDUWNGQWxuR3RYWUFDZ2tRZ0hudy8yK1EKQ1FkTEh3LytKSDdEalVUSk1C
NDdYcjJkdDVROU92NTdVeFQrMFRSYUVYc0tPUHdnOXB1ZEQ3MFV4Q0VNdFZZZAphQzVrY1ZLc1Jt
Ti9LL0xtRGFaeU1xZFJlb1c0Uy9CTXhrdmtRNTl5d3lIb0pWaVlFcHhmdlIvV2lmNWo0MzFTClZq
K2VpYTBVdHcrVXVVNWRzUkU3c2w4MmlYeGVzYit4RkwvSlJqTXBPNVBicDdaci8rZEppZ3V4SDJh
b280NTYKckJiV1VtZGNMMmNXeE5EaGQ4ck5ZbHo3K0JJWXcyeWhRVU9lQXJZWk5RcFRtbHZkeVVO
Ly9xOTB1UGJIUDBoZQpKOFFMVlh6WXkxQU1YZk1aM2lTSENvc1cxV2RRK2o2TGtDVTBybjg1Z1Br
bGlCV2hrYUdHb3NNdzZXUFVyVzNvCnUrRFgvTkxXRzBXRW5IbndLcVpKYWJaUnJPcmFmaHdnT005
VWxuRmxycThQWER6Yi9TV2E4NE05TGxTODY3S2wKZWlNYU01TVgxeHZrZmdqSHZGVThlU25GWHMr
OVhZSXI3YzJuZHluWEdDOC9YN3ovcFFlRlB3ODc3UGRlSVZpVgpqbmM3VWtibmVnOTlXS2p3NGVz
aExxdExmZ2J2dzVuQUgvWXREOGtCdFZyTTgra3NnZldPQlQ0aUFYWnBmU05hCmxqa3JMdFpvVjhH
TkZVR0RGWTZJcjBjTVE4QzBzeDJPVXBxQjJtNktwUHJXSENOVlZFUVdwWTg3RlVEYzRFS24KR3RO
QXhWNTI2MkdRcjk1cWZEajN4TWtwUC9VWDVZejhZR1U4OWhyVWFtUTlkMlNqaVZkMnQzTCsxVmJj
ejM5MApTdnpCdEFwK1RZT0loZUZuclJJZklSYmlqNThZdlUwNmoxaVd1UUxGVVZ4aXd6ZDhqeE09
Cj03QUVFCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo=

--===============5584222807807071856==--