Solved: Virtual Host Protocol Behaviour

Report Inappropriate Content · 01-03-2017 06:15 AM

Hi all,

I want to only allow only TLS1.2 connections to my virtual hosts. Apigee allows this, and so I have included the following configuraton when creating my virtual hosts:

So in theory, connections using any other protocol, like TLSv1.1 or 1.0, should be rejected. However in practice, 1.1 and 1.0 are being accepted. I don't understand why.

If anyone has any ideas why, please let me know.

Regards,

Stewart

sgilson

@Stewart Toon

I just updated the doc on this issue. The way you set the protocol of the vhost is dependent on your version of Edge. 4.15.07, 4.16.01/05/09, and 4.17.01 use different procedures as shown here:

http://docs.apigee.com/api-services/content/creating-virtual-host#virtualhostconfiguration

Stephen

View solution in original post

DChiesa

Have you included an <Enabled>true</Enabled> element ?

Can you show the full SSLInfo element please?

Report Inappropriate Content

Hi Dino,

Thanks for the response. Yes, I have included the 'Enabled' element when creating my virtual host.

The virtual host configuration is included below. I think that should give you the detail needed. I have amended potentially sensitive values.

Regards,

Stewart

<VirtualHost name="sit-ext-vhost"> 
  <HostAliases> 
    <HostAlias>services.com</HostAlias> 
  </HostAliases> 
  <Interfaces/> 
  <Port>9444</Port> 
  <SSLInfo> 
    <Enabled>true</Enabled> 
    <ClientAuthEnabled>false</ClientAuthEnabled> 
    <KeyStore>sit-ext- Keystore.jks</KeyStore> 
    <KeyAlias>sit-ext-Keystore</KeyAlias> 
    <Ciphers>
      <Cipher>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Cipher>
      <Cipher>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Cipher>
    </Ciphers>
    <Protocols>
      <Protocol>TLSv1.2</Protocol>
    </Protocols> 
  </SSLInfo> 
</VirtualHost>

DChiesa

yep, ok... That looks good. It has SSL enabld, and it looks like the Ciphers and Protocols are set to your preferred settings.

and now, can you run this command?

curl -u XXX:XXX http://x.x.x.x:8080/v1/o/org/env/sit/keystores

This will list the keystores in your environment. The keystore name that you used in the VirtualHost definition has a name like "sit-ext-Keystore.jks". That looks like a filename. Normally we wouldn't use the .jks extension in the keystore name. But it's possible that you have done so. (Maybe totally benign).

I just wanna check through all the pieces.

After you verify the keystore by that name, let's verify its contents.

curl -u XXX:XXX http://x.x.x.x:8080/v1/o/org/env/sit/keystores/sit-ext-Keystore.jks

Can you send me the outputs from those commands?

Report Inappropriate Content

Hi Dino,

Thanks for the feedback. Here is the output, for the two API calls:

[ "sit-ext-Keystore.jks", "sitKeystore.jks" ][root@grpapgfrts01 ~]

{ "certs" : [ "sit-ext-Keystore-cert" ], "keys" : [ "sit-ext-Keystore" ], "name" : "sit-ext-Keystore.jks" }

Intestestingly, I am in touch with apigee. They have suggested I use a router.properties file to do the config instead - this applies the TLS protocol restriction to the whole serverm rather than just the virtual host.

I'll let you know if I get a solution!

Thanks,

Stewart

DChiesa

That output looks reasonable. if you are speaking directly with Apigee Support I will let them sort it out with you!

sgilson

@Stewart Toon

I just updated the doc on this issue. The way you set the protocol of the vhost is dependent on your version of Edge. 4.15.07, 4.16.01/05/09, and 4.17.01 use different procedures as shown here:

http://docs.apigee.com/api-services/content/creating-virtual-host#virtualhostconfiguration

Stephen

Report Inappropriate Content

Stephen, thanks - that link looks extremely relevant. I'll try things out and update the thread with the results.