You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2014/04/06 13:44:06 UTC
[Bug 56353] New: SNI not working correctly when certificate is
defined in global scope
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
Bug ID: 56353
Summary: SNI not working correctly when certificate is defined
in global scope
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: hanno@hboeck.de
I found a regression but in the behaviour certificates get loaded in apache
2.4.9. The same issue does not appear in 2.4.7 and is therefore a regression.
When one defines a certificate in the global scope (outside any VirtualHost),
all hosts deliver that certificate.
Example config:
SSLCertificateFile /etc/apache2/certs/test1.crt
SSLCertificateKeyFile /etc/apache2/certs/test1.key
<VirtualHost *:443>
ServerName test1.local
DocumentRoot /var/www/test1/
SSLEngine On
</VirtualHost>
<VirtualHost *:443>
ServerName test2.local
DocumentRoot /var/www/test2/
SSLEngine On
SSLCertificateFile /etc/apache2/certs/test2.crt
SSLCertificateKeyFile /etc/apache2/certs/test2.key
</VirtualHost>
What should happen: The first vhost (test1.local) should deliver test1.crt and
the second host (test2.local) should deliver test2.crt.
However, what happens is that both hosts deliver test1.crt.
It gets even weirder when one adds certificate chains. They still get delivered
by vhosts. So if I e.g. add a certificate chain to test2.local in this example,
I'll get test1.crt with the chain defined in test2.local.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
--- Comment #4 from hanno@hboeck.de ---
> Can you perhaps give more details on the rationale for such a setup?
I thought it's pretty obvious, but I can give you some details:
We have a server running with a default wildcard-certificate for
*.schokokeks.org. So basically first we have a number of vhosts that share this
certificate (config.schokokeks.org, webmail.schokokeks.org etc) and don't need
any SNI at all.
Then we have a large number of customer vhosts on other domains. Some of those
have their own certificate, so it gets added to the vhost via SNI. But
obviously, not everyone gets his own certificate, so there are also a number of
domains that don't have a valid certificate at all. However, we still make
these hosts available through https, so the customers can add exceptions to
their browser if they want to privately access the page via https.
I could obviously add the default certificate to every vhost that doesn't have
its own. But this would blow up the configuration a lot for no gain and adds
unneccesarry complexity.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
Hardware|PC |All
Version|2.5-HEAD |2.4-HEAD
OS|Linux |All
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
--- Comment #1 from Kaspar Brand <as...@velox.ch> ---
Created attachment 31485
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31485&action=edit
Reverse apr_array_append order with cfgMergeArray
(In reply to hanno from comment #0)
> When one defines a certificate in the global scope (outside any
> VirtualHost), all hosts deliver that certificate.
True, I can confirm (I realized this when looking into bug 56306).
Can you try the attached patch with 2.4.9 and let us know if it addresses your
issue?
> It gets even weirder when one adds certificate chains. They still get
> delivered by vhosts. So if I e.g. add a certificate chain to test2.local in
> this example, I'll get test1.crt with the chain defined in test2.local.
What version of OpenSSL are you using, and how exactly do you "add a
certificate chain" - with SSLCertificateChainFile, or by including it in the
file pointed to by SSLCertificateFile?
(Note that for an SNI setup, it doesn't make much sense to have global-level
SSLCertificate[Key]File settings - the default cert should simply go into the
first VirtualHost block.)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
--- Comment #5 from Kaspar Brand <as...@velox.ch> ---
Hanno, I have attached a more thorough fix for merging global and per-vhost
settings to bug 56306 (attachment 31531). Would appreciate if you could give it
a try and let me know if it's working for your setup as well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
Christophe JAILLET <ch...@wanadoo.fr> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Christophe JAILLET <ch...@wanadoo.fr> ---
Fixed and released in 2.4.10
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
Kaspar Brand <as...@velox.ch> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |FixedInTrunk
Status|NEEDINFO |NEW
Version|2.4-HEAD |2.4.9
--- Comment #3 from Kaspar Brand <as...@velox.ch> ---
(In reply to hanno from comment #2)
> Yeah, patch fixes it, everything seems back to normal. Will re-test with my
> real server setup, but local tests seem fine.
Thanks for testing/confirming. I have committed this to trunk with r1585918 and
proposed for backport to 2.4.x in r1585922.
> > (Note that for an SNI setup, it doesn't make much sense to have global-level
> > SSLCertificate[Key]File settings - the default cert should simply go into
> > the first VirtualHost block.)
>
> No, that doesn't work. If I set no global cert and have vhosts without their
> own cert apache simply won't start. (log says "SSL Library Error:
> error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate
> assigned")
It's not yet clear to me what the use for this is - SNI is mostly about
configuring an individual cert for each VirtualHost (not multiple vhosts
sharing the same cert), so I wonder why you need globally configured "fallback"
SSLCertificate[Key]File directives. Can you perhaps give more details on the
rationale for such a setup?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
--- Comment #2 from hanno@hboeck.de ---
(In reply to Kaspar Brand from comment #1)
> Created attachment 31485 [details]
> Reverse apr_array_append order with cfgMergeArray
[...]
> Can you try the attached patch with 2.4.9 and let us know if it addresses
> your issue?
Yeah, patch fixes it, everything seems back to normal. Will re-test with my
real server setup, but local tests seem fine.
> > It gets even weirder when one adds certificate chains. They still get
> > delivered by vhosts. So if I e.g. add a certificate chain to test2.local in
> > this example, I'll get test1.crt with the chain defined in test2.local.
>
> What version of OpenSSL are you using, and how exactly do you "add a
> certificate chain" - with SSLCertificateChainFile, or by including it in the
> file pointed to by SSLCertificateFile?
With SSLCertificateChainFile and openssl 1.0.1f.
(I'm aware that 2.4.9 warns it is considered deprecated. I'm not happy with
that, but this is outside the scope of this bug report, I may comment on that
on the dev ml)
> (Note that for an SNI setup, it doesn't make much sense to have global-level
> SSLCertificate[Key]File settings - the default cert should simply go into
> the first VirtualHost block.)
No, that doesn't work. If I set no global cert and have vhosts without their
own cert apache simply won't start. (log says "SSL Library Error:
error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned")
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 56353] SNI not working correctly when certificate is defined in
global scope
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56353
--- Comment #6 from Kaspar Brand <as...@velox.ch> ---
(In reply to Kaspar Brand from comment #3)
> and proposed for backport to 2.4.x in r1585922.
Committed to 2.4.x with r1588245. To appear in 2.4.10.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org