From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] force transport encryption for WebUI logins Date: Sat, 23 Sep 2017 22:08:26 +0200 Message-ID: <20170923220826.25afdfca.peter.mueller@link38.eu> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0039802638751339973==" List-Id: --===============0039802638751339973== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Matthias, thanks for the quick reply. > On 23.09.2017 20:19, Peter M=C3=BCller wrote: > > Hello Matthias, > >=20 > > your described scenario does not appear on my machine. :-( =20 >=20 > Hm... Weird. >=20 > > However, the "Require ssl" directive seems not to work with the > > 2.2.x branch, here, we still need the old "SSLRequireSSL". (On > > the other hand, it was intended to be used with the new version.) > >=20 > > Which version are you running? =20 >=20 > Sorry, forgot. I'm using 2.4.27 from current 'next', built today, on > Core 113. Ah, I was still at 2.2.x (where the patch has no effect) and tested against a 2.4.x web server I had at hand. Promise to test better next time. >=20 > > I think the best solution for now is to disregard this patch. > > After the Core Update with 2.4.27 version was released, I'll > > give it another try. =20 >=20 > See above... It won't work here: I just verified this behaviour on my > test machine. *With* "Require ssl" I get instant (https-)access, > *without* "Require ssl" I'm asked for username / password. Well, according to the Apache docs (https://httpd.apache.org/docs/current/mod= /mod_ssl.html#reqssl), one cannot assume that this breaks "Require valid-user". Looks somehow like a bug in Apache... I think I will just replace the directories with HTTP 301 in the unencrypted file (as I mentioned in the other mail), but for the "ipfire-interface-ssl.conf" file, we can assume SSL is used, anyway. We _can_ assume, but we are not sure. :-| Will use a nightly build tomorrow and develop a better patch. Best regards, Peter M=C3=BCller >=20 > Best, > Matthias >=20 > > @All: Anybody against or in favor? > >=20 > > Best regards, > > Peter M=C3=BCller > > =20 > >> Hello Matthias, > >>=20 > >> tanks for reporting this. I am trying to reproduce here... > >>=20 > >> Best regards, > >> Peter M=C3=BCller > >> =20 > >> > Hi Peter, > >> >=20 > >> > Please review this patch... (http://patchwork.ipfire.org/patch/1413/) > >> >=20 > >> > During testing I found that every machine in my GREEN net was suddenly > >> > able to login through https://[IPFIRE_GREEN_ADDRESS]:[444]. > >> >=20 > >> > No question for admin-username, no password authentification request, > >> > nothing. > >> >=20 > >> > It seems as as if the Authentication Header is missing(?). > >> >=20 > >> > Only when I remove the "Require ssl" lines (I did this in both files),= a > >> > browser restart leads to the usual login procedure. > >> >=20 > >> > Best, > >> > Matthias > >> >=20 > >> > On 08.09.2017 19:19, Peter M=C3=BCller wrote: =20 > >> > > Force SSL/TLS for any WebUI directory which requires an authenticati= on. > >> > > This prevents credentials from being transmitted in plaintext, which= is > >> > > an information leak. > >> > >=20 > >> > > Scenario: A MITM attacker might block all encrypted traffic to the > >> > > firewall's web interface, making the administrator using an unencryp= ted > >> > > connection (i.e. via port 81). Username and password can be easily > >> > > logged in transit then. > >> > >=20 > >> > > Signed-off-by: Peter M=C3=BCller > >> > > --- > >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/confi= g/httpd/vhosts.d/ipfire-interface-ssl.conf > >> > > index 6f353962e..5ceaa1f32 100644 > >> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf > >> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf > >> > > @@ -24,6 +26,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user admin > >> > > + Require ssl > >> > > > >> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > >> > > > >> > > @@ -33,6 +36,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user admin > >> > > + Require ssl > >> > > > >> > > Require all granted > >> > > > >> > > @@ -50,6 +54,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user dial admin > >> > > + Require ssl > >> > > > >> > > > >> > > SSLOptions +StdEnvVars > >> > > @@ -86,5 +91,6 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user admin > >> > > + Require ssl > >> > > > >> > > > >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/ht= tpd/vhosts.d/ipfire-interface.conf > >> > > index 619f90fcc..58d1b54cd 100644 > >> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf > >> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf > >> > > @@ -16,6 +16,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user admin > >> > > + Require ssl > >> > > > >> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/ > >> > > > >> > > @@ -25,6 +26,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user admin > >> > > + Require ssl > >> > > > >> > > Require all granted > >> > > > >> > > @@ -42,6 +44,7 @@ > >> > > AuthType Basic > >> > > AuthUserFile /var/ipfire/auth/users > >> > > Require user dial admin > >> > > + Require ssl > >> > > > >> > > Alias /updatecache/ /var/updatecache/ > >> > > > >> > > =20 > >> > =20 > >> =20 > >=20 > >=20 > > =20 >=20 --===============0039802638751339973==--