osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] SNI extension for healthchecks


HI All !

Currently we are facing critical Apache/Kerberos authentication issue in our RHEL7 server running with Apache/2.4 upon changing Keytab with Crypto type=AES256. Previously it's Crypto type=all. Please check following with the details.

We are using mod_auth_kerb on Red Hat Enterprise Linux  for our application MediaWiki 1.30.0 running in Apache/2.4
And we never face such issue related to kerberos authentication since we used the keytab with following cipher algorithm in the encryption method.

(des-cbc-crc)
(des-cbc-md5)
(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

Later, the DES crypto type is catagoried in weak crypto type and it's denied to use in Produciton for security reason.

And we are asked to use the keytab using Advanced Encryption Standard (AES) Cryptography with either of types (AES128 or AES265) for following cipher algorithm.

(aes256-cts-hmac-sha1-96)
(aes128-cts-hmac-sha1-96)

But, unfortunately neither of the keytab encrypted with AES Crypto (AES128 or AES265) are working under Apache/2.4 and throws following error in HTTPD server Error_log.


Error_log
-----------------
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, No key table entry found for the SPN)

Please let us know if there is any solution to resolve for the issue.


On Fri, Oct 19, 2018 at 6:57 PM Yann Ylavic <ylavic.dev@xxxxxxxxx> wrote:
Hi Dominik,

sorry for the late response.

On Tue, Oct 16, 2018 at 12:44 PM Dominik Stillhard
<Dominik.Stillhard@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> I face the problem, that the sni extension is not set on healthcheck-requests to a backend using tls. Because healthchecks are negative, this leads to ordinary requests also beeing denied.
>
> on the backend server i have the following error:
>
> AH02033: No hostname was provided via SNI for a name based virtual host
>
> I’ve also investigated it with wireshark, the extionsion is defenitely not set.

It should not, see below.

>
> My config looks as follows:
[]
>
>   <Proxy balancer://mycluster lbmethod=byrequests>
>     BalancerMember https://127.0.0.1:8443
>     BalancerMember https://127.0.0.1:8444

https://tools.ietf.org/html/rfc6066#section-3 :
    ...
    Literal IPv4 and IPv6 addresses are not permitted in "HostName".

So httpd won't set the SNI in your case, I guess "localhost" instead
of 127.0.0.1 would work...

>
>     ProxyPreserveHost On

While this is meaningful for forwarded client requests (their "Host:"
header can be preserved on the backend side, instead of using the one
from the ProxyPass/BalancerMember directive), it does not apply to
healthcheck where connections/requests are created on the httpd proxy
and there is nothing to preserve, so the only hostname/SNI to use in
the one from ProxyPass/BalancerMember here.

So for healthcheck requests to be accepted by your backend (name based
virtual host), you need to set real hostnames in BalancerMember(s)
above, or use "localhost" provided that "ServerAlias localhost" is
configured on the backend for the relevant vhost.


Regards,
Yann.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



--
Thanks & Regards,
 

Sanjay Kumar Sahu