Eelco was having problems logging in from within his corporate firewall. The ssl_request_log
file
said:
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /login/ HTTP/1.1" 8050 [28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB.css HTTP/1.1" 10036 [28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB-print.css HTTP/1.1" 512 [28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB-flex.css HTTP/1.1" 308 [28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /img/iCyPhyLogo5_white.gif HTTP/1.1" 1588 [28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /img/column-bg.gif HTTP/1.1" 98Unfortunately, that IP address is airbears.
httpd-ssl.conf
contains:
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLhttps://httpd.apache.org/docs/trunk/ssl/ssl_howto.html talks about setting
SSLCipherSuite
.
https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html suggests:
SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
The next step was to look at traffic from around that time. I got the IP addresses from that time:
[root@moog logs]# grep '28/Nov/2012:08:4' /usr/local/apache/logs/2012/11/28/access_log_icyphy \ | awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $2}' 130.164.75.172 136.152.38.0 192.249.47.204 213.239.217.16 188.40.103.239 [root@moog logs]#I put them in a file on carson and ran
carson.EECS.Berkeley.EDU:root: %C2> cat /tmp/h3 | xargs -n 1 host 172.75.164.130.in-addr.arpa domain name pointer client-75-172.natinst.com. 0.38.152.136.in-addr.arpa domain name pointer airbears-136-152-38-0.AirBears.Berkeley.EDU. 204.47.249.192.in-addr.arpa domain name pointer mdc-aero-wsg-3.utc.com. 16.217.239.213.in-addr.arpa domain name pointer static.213-239-217-16.clients.your-server.de. 239.103.40.188.in-addr.arpa domain name pointer static.239.103.40.188.clients.your-server.de.So, the IP address from utc is 192.249.47.204
[root@moog logs]# grep 192.249.47.204 /usr/local/apache/logs/2012/11/28/access_log_icyphy 192.249.47.204 - - [28/Nov/2012:08:44:32 -0800] "GET /login HTTP/1.1" 302 293 192.249.47.204 - - [28/Nov/2012:08:44:33 -0800] "GET /login/ HTTP/1.1" 302 -302 is a redirect, see https://en.wikipedia.org/wiki/HTTP_302. From the rewrite logs, I can see that that address access login.php, but then there is nothing after that.