Sent from IBM Verse
Peter Müller --- Re: [PATCH] force transport encryption for WebUI logins --- From:"Peter Müller" peter.mueller@link38.euTo:"Matthias Fischer" matthias.fischer@ipfire.orgCc:development@lists.ipfire.orgDate:Sat, Sep 23, 2017 3:08 PMSubject:Re: [PATCH] force transport encryption for WebUI logins
Hello Matthias,thanks for the quick reply.> On 23.09.2017 20:19, Peter Müller wrote:> > Hello Matthias,> > > > your described scenario does not appear on my machine. :-( > > Hm... Weird.> > > However, the "Require ssl" directive seems not to work with the> > 2.2.x branch, here, we still need the old "SSLRequireSSL". (On> > the other hand, it was intended to be used with the new version.)> > > > Which version are you running? > > Sorry, forgot. I'm using 2.4.27 from current 'next', built today, on> Core 113.Ah, I was still at 2.2.x (where the patch has no effect) and testedagainst a 2.4.x web server I had at hand.Promise to test better next time.> > > I think the best solution for now is to disregard this patch.> > After the Core Update with 2.4.27 version was released, I'll> > give it another try. > > See above... It won't work here: I just verified this behaviour on my> test machine. *With* "Require ssl" I get instant (https-)access,> *without* "Require ssl" I'm asked for username / password.Well, according to the Apache docs (https://httpd.apache.org/docs/current/mod/mod_ssl.html#reqssl),one cannot assume that this breaks "Require valid-user". Looks somehowlike a bug in Apache...I think I will just replace the directories with HTTP 301 in theunencrypted file (as I mentioned in the other mail), but for the"ipfire-interface-ssl.conf" file, we can assume SSL is used, anyway.We _can_ assume, but we are not sure. :-|Will use a nightly build tomorrow and develop a better patch.Best regards,Peter Müller> > Best,> Matthias> > > @All: Anybody against or in favor?> > > > Best regards,> > Peter Müller> > > >> Hello Matthias,> >> > >> tanks for reporting this. I am trying to reproduce here...> >> > >> Best regards,> >> Peter Müller> >> > >> > Hi Peter,> >> > > >> > Please review this patch... (http://patchwork.ipfire.org/patch/1413/)%3E >> > > >> > During testing I found that every machine in my GREEN net was suddenly> >> > able to login through https://%5BIPFIRE_GREEN_ADDRESS%5D:%5B444%5D.%3E >> > > >> > No question for admin-username, no password authentification request,> >> > nothing.> >> > > >> > It seems as as if the Authentication Header is missing(?).> >> > > >> > Only when I remove the "Require ssl" lines (I did this in both files), a> >> > browser restart leads to the usual login procedure.> >> > > >> > Best,> >> > Matthias> >> > > >> > On 08.09.2017 19:19, Peter Müller wrote: > >> > > Force SSL/TLS for any WebUI directory which requires an authentication.> >> > > This prevents credentials from being transmitted in plaintext, which is> >> > > an information leak.> >> > > > >> > > Scenario: A MITM attacker might block all encrypted traffic to the> >> > > firewall's web interface, making the administrator using an unencrypted> >> > > connection (i.e. via port 81). Username and password can be easily> >> > > logged in transit then.> >> > > > >> > > Signed-off-by: Peter Müller peter.mueller@link38.eu> >> > > ---> >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf> >> > > index 6f353962e..5ceaa1f32 100644> >> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf> >> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf> >> > > @@ -24,6 +26,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user admin> >> > > + Require ssl> >> > > </DirectoryMatch>> >> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/> >> > > <Directory /srv/web/ipfire/cgi-bin>> >> > > @@ -33,6 +36,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user admin> >> > > + Require ssl> >> > > <Files chpasswd.cgi>> >> > > Require all granted> >> > > </Files>> >> > > @@ -50,6 +54,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user dial admin> >> > > + Require ssl> >> > > </Directory>> >> > > <Files ~ ".(cgi|shtml?)$">> >> > > SSLOptions +StdEnvVars> >> > > @@ -86,5 +91,6 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user admin> >> > > + Require ssl> >> > > </Directory>> >> > > </VirtualHost>> >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf> >> > > index 619f90fcc..58d1b54cd 100644> >> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf> >> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf> >> > > @@ -16,6 +16,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user admin> >> > > + Require ssl> >> > > </DirectoryMatch>> >> > > ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/> >> > > <Directory /srv/web/ipfire/cgi-bin>> >> > > @@ -25,6 +26,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user admin> >> > > + Require ssl> >> > > <Files chpasswd.cgi>> >> > > Require all granted> >> > > </Files>> >> > > @@ -42,6 +44,7 @@> >> > > AuthType Basic> >> > > AuthUserFile /var/ipfire/auth/users> >> > > Require user dial admin> >> > > + Require ssl> >> > > </Directory>> >> > > Alias /updatecache/ /var/updatecache/> >> > > <Directory /var/updatecache>> >> > > > >> > > >> > > > > > > >