Eelco was having problems logging in from within his corporate firewall.  The  <code>ssl_request_log</code> file
said:
<pre>
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /login/ HTTP/1.1" 8050
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB.css HTTP/1.1" 10036
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB-print.css HTTP/1.1" 512
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /styles/UCB-flex.css HTTP/1.1" 308
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /img/iCyPhyLogo5_white.gif HTTP/1.1" 1588
[28/Nov/2012:08:43:50 -0800] 136.152.38.0 TLSv1 AES128-SHA "GET /img/column-bg.gif HTTP/1.1" 98
</pre>
Unfortunately, that IP address is airbears.


<code>httpd-ssl.conf</code> contains:
<pre>
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
</pre>

<a href="https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html">https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html</a> talks about setting
<code>SSLCipherSuite</code>.

<p><a href="https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html">https://www.sslshopper.com/article-how-to-disable-weak-ciphers-and-ssl-2.0-in-apache.html</a> suggests:
<pre>
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
</pre>

<p>The next step was to look at traffic from around that time.

I got the IP addresses from that time:
<pre>
[root@moog logs]# grep '28/Nov/2012:08:4' /usr/local/apache/logs/2012/11/28/access_log_icyphy \
| awk '{print $1}' | sort | uniq -c | sort -nr | awk '{print $2}'
130.164.75.172
136.152.38.0
192.249.47.204
213.239.217.16
188.40.103.239
[root@moog logs]# 
</pre>
I put them in a file on carson and ran
<pre>
carson.EECS.Berkeley.EDU:root: %C2> cat /tmp/h3 | xargs -n 1 host
172.75.164.130.in-addr.arpa domain name pointer client-75-172.natinst.com.
0.38.152.136.in-addr.arpa domain name pointer airbears-136-152-38-0.AirBears.Berkeley.EDU.
204.47.249.192.in-addr.arpa domain name pointer mdc-aero-wsg-3.utc.com.
16.217.239.213.in-addr.arpa domain name pointer static.213-239-217-16.clients.your-server.de.
239.103.40.188.in-addr.arpa domain name pointer static.239.103.40.188.clients.your-server.de.
</pre>

So, the IP address from utc is 192.249.47.204

<pre>
[root@moog logs]# grep 192.249.47.204 /usr/local/apache/logs/2012/11/28/access_log_icyphy
192.249.47.204 - - [28/Nov/2012:08:44:32 -0800] "GET /login HTTP/1.1" 302 293
192.249.47.204 - - [28/Nov/2012:08:44:33 -0800] "GET /login/ HTTP/1.1" 302 -
</pre>
302 is a redirect, see
<a href="https://en.wikipedia.org/wiki/HTTP_302">https://en.wikipedia.org/wiki/HTTP_302</a>.


From the rewrite logs, I can see that that address
access login.php, but then there is nothing after that.