Sent from IBM Verse

Peter Müller --- Re: [PATCH] force transport encryption for WebUI logins ---

From:"Peter Müller" <peter.mueller@link38.eu>
To:"Matthias Fischer" <matthias.fischer@ipfire.org>
Cc:development@lists.ipfire.org
Date:Sat, Sep 23, 2017 3:08 PM
Subject:Re: [PATCH] force transport encryption for WebUI logins

Hello Matthias,

thanks for the quick reply.

> On 23.09.2017 20:19, Peter Müller wrote:
> > Hello Matthias,
> > 
> > your described scenario does not appear on my machine. :-(  
> 
> Hm... Weird.
> 
> > However, the "Require ssl" directive seems not to work with the
> > 2.2.x branch, here, we still need the old "SSLRequireSSL". (On
> > the other hand, it was intended to be used with the new version.)
> > 
> > Which version are you running?  
> 
> Sorry, forgot. I'm using 2.4.27 from current 'next', built today, on
> Core 113.
Ah, I was still at 2.2.x (where the patch has no effect) and tested
against a 2.4.x web server I had at hand.

Promise to test better next time.
> 
> > I think the best solution for now is to disregard this patch.
> > After the Core Update with 2.4.27 version was released, I'll
> > give it another try.  
> 
> See above... It won't work here: I just verified this behaviour on my
> test machine. *With* "Require ssl" I get instant (https-)access,
> *without* "Require ssl" I'm asked for username / password.
Well, according to the Apache docs (https://httpd.apache.org/docs/current/mod/mod_ssl.html#reqssl),
one cannot assume that this breaks "Require valid-user". Looks somehow
like a bug in Apache...

I think I will just replace the directories with HTTP 301 in the
unencrypted file (as I mentioned in the other mail), but for the
"ipfire-interface-ssl.conf" file, we can assume SSL is used, anyway.

We _can_ assume, but we are not sure. :-|

Will use a nightly build tomorrow and develop a better patch.

Best regards,
Peter Müller


> 
> Best,
> Matthias
> 
> > @All: Anybody against or in favor?
> > 
> > Best regards,
> > Peter Müller
> >   
> >> Hello Matthias,
> >> 
> >> tanks for reporting this. I am trying to reproduce here...
> >> 
> >> Best regards,
> >> Peter Müller
> >>   
> >> > Hi Peter,
> >> > 
> >> > Please review this patch... (http://patchwork.ipfire.org/patch/1413/)
> >> > 
> >> > During testing I found that every machine in my GREEN net was suddenly
> >> > able to login through https://[IPFIRE_GREEN_ADDRESS]:[444].
> >> > 
> >> > No question for admin-username, no password authentification request,
> >> > nothing.
> >> > 
> >> > It seems as as if the Authentication Header is missing(?).
> >> > 
> >> > Only when I remove the "Require ssl" lines (I did this in both files), a
> >> > browser restart leads to the usual login procedure.
> >> > 
> >> > Best,
> >> > Matthias
> >> > 
> >> > On 08.09.2017 19:19, Peter Müller wrote:    
> >> > > Force SSL/TLS for any WebUI directory which requires an authentication.
> >> > > This prevents credentials from being transmitted in plaintext, which is
> >> > > an information leak.
> >> > > 
> >> > > Scenario: A MITM attacker might block all encrypted traffic to the
> >> > > firewall's web interface, making the administrator using an unencrypted
> >> > > connection (i.e. via port 81). Username and password can be easily
> >> > > logged in transit then.
> >> > > 
> >> > > Signed-off-by: Peter Müller <peter.mueller@link38.eu>
> >> > > ---
> >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> >> > > index 6f353962e..5ceaa1f32 100644
> >> > > --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> >> > > +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> >> > > @@ -24,6 +26,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user admin
> >> > > +        Require ssl
> >> > >      </DirectoryMatch>
> >> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >> > >      <Directory /srv/web/ipfire/cgi-bin>
> >> > > @@ -33,6 +36,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user admin
> >> > > +        Require ssl
> >> > >          <Files chpasswd.cgi>
> >> > >              Require all granted
> >> > >          </Files>
> >> > > @@ -50,6 +54,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user dial admin
> >> > > +        Require ssl
> >> > >      </Directory>
> >> > >      <Files ~ "\.(cgi|shtml?)$">
> >> > >      SSLOptions +StdEnvVars
> >> > > @@ -86,5 +91,6 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user admin
> >> > > +        Require ssl
> >> > >      </Directory>
> >> > >  </VirtualHost>
> >> > > diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
> >> > > index 619f90fcc..58d1b54cd 100644
> >> > > --- a/config/httpd/vhosts.d/ipfire-interface.conf
> >> > > +++ b/config/httpd/vhosts.d/ipfire-interface.conf
> >> > > @@ -16,6 +16,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user admin
> >> > > +        Require ssl
> >> > >      </DirectoryMatch>
> >> > >      ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
> >> > >      <Directory /srv/web/ipfire/cgi-bin>
> >> > > @@ -25,6 +26,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user admin
> >> > > +        Require ssl
> >> > >           <Files chpasswd.cgi>
> >> > >              Require all granted
> >> > >          </Files>
> >> > > @@ -42,6 +44,7 @@
> >> > >          AuthType Basic
> >> > >          AuthUserFile /var/ipfire/auth/users
> >> > >          Require user dial admin
> >> > > +        Require ssl
> >> > >      </Directory>
> >> > >      Alias /updatecache/ /var/updatecache/
> >> > >      <Directory /var/updatecache>
> >> > >       
> >> >     
> >>   
> > 
> > 
> >   
>